We utilize a vulnerability scanner for our site, and there has been a vulnerability found on the latest version (7.4.1) which should be addressed. Can you please look into fixing this? ("WordPress Amelia Plugin <= 1.0.98 is vulnerable to Broken Access Control")
We just got the feedback from our colleagues and they have told us that this is only for Lite free version of the plugin this is not valid for your full versions. It can show like this
or this for example
But this does not affect your full license you can see that this shows for Lite version which has 1.0.98 version don't for full 7.4.1 version.
The endpoint listed is public and always has been:GET /wordpress/wp-admin/admin-ajax.php?action=wpamelia_api&call=/entities&types[]=categories&types[]=employees&types[]=locations&types[]=events&types[]=tags&types[]=aaaaaaa HTTP/1.1The intention from our end is to make this endpoint public. The other routes are protected with WP roles permissions but this one isn't so non-logged-in users can have access to the booking form. That endpoint is used for logged-in and non-logged-in users.This route was registered like this:
Hi,
We utilize a vulnerability scanner for our site, and there has been a vulnerability found on the latest version (7.4.1) which should be addressed. Can you please look into fixing this? ("WordPress Amelia Plugin <= 1.0.98 is vulnerable to Broken Access Control")
https://patchstack.com/database/vulnerability/ameliabooking/wordpress-amelia-plugin-1-0-96-broken-access-control-vulnerability
Thank you!
Hello,
We have forwarded your ticket to our level 2 agents and as soon as we get some feedback from them we will contact you immediately.
Kind Regards,
Marko Davidovic [email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps, floor plans, choropleth maps, and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables
Hello again,
We just got the feedback from our colleagues and they have told us that this is only for Lite free version of the plugin this is not valid for your full versions. It can show like this
or this for example
But this does not affect your full license you can see that this shows for Lite version which has 1.0.98 version don't for full 7.4.1 version.
The endpoint listed is public and always has been:GET /wordpress/wp-admin/admin-ajax.php?action=wpamelia_api&call=/entities&types[]=categories&types[]=employees&types[]=locations&types[]=events&types[]=tags&types[]=aaaaaaa HTTP/1.1The intention from our end is to make this endpoint public. The other routes are protected with WP roles permissions but this one isn't so non-logged-in users can have access to the booking form. That endpoint is used for logged-in and non-logged-in users.This route was registered like this:
add_action('wp_ajax_wpamelia_api', array('AmeliaBooking\Plugin', 'wpAmeliaApiCall')); add_action('wp_ajax_nopriv_wpamelia_api', array('AmeliaBooking\Plugin', 'wpAmeliaApiCall'));And the "nopriv" part in it means that non-logged-in users can access the route. We do not perform permission checks on it.
You need to remove patchstack and this should not show anymore.
Should you have any further inquiries, we kindly request that you open separate tickets for each question and we will gladly help you there.
We wish you all the best and hope you have a wonderful day ahead.
Kind Regards,
Marko Davidovic [email protected]
Rate my support
Try our FREE mapping plugin! MapSVG - easy Google maps, interactive SVG maps, floor plans, choropleth maps, and much more - https://wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/
wpDataTables: FAQ | Facebook | Twitter | Instagram | Front-end and back-end demo | Docs
Amelia: FAQ | Facebook | Twitter | Instagram | Amelia demo sites | Docs | Discord Community
You can try wpDataTables add-ons before purchasing on these sandbox sites:
Powerful Filters | Gravity Forms Integration for wpDataTables | Formidable Forms Integration for wpDataTables | Master-Detail Tables