The vulnerability identified as CVE-2025-14720 affects the Booking for Appointments and Events Calendar – Amelia plugin for WordPress, versions up to and including 1.2.38. It is classified under CWE-862 (Missing Authorization) due to the absence of proper capability checks on multiple AJAX actions. These AJAX endpoints are accessible without authentication, allowing attackers to invoke sensitive functions remotely. Specifically, attackers can mark payments as refunded without authorization, which compromises the integrity of financial transactions. They can also trigger the sending of queued notifications via email, SMS, or WhatsApp, potentially enabling spam or phishing campaigns. Additionally, attackers can access debug information that may reveal internal system details useful for further exploitation. The vulnerability has a CVSS v3.1 base score of 5.3 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. While confidentiality is not directly impacted, the integrity of payment data and operational workflows is at risk. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin, which is widely used by businesses for managing appointments and events on WordPress sites.

The primary impact of this vulnerability is on the integrity of financial and operational data within affected WordPress sites using the Amelia Booking plugin. Unauthorized marking of payments as refunded can lead to financial discrepancies, potential revenue loss, and accounting confusion. Triggering queued notifications without authorization can disrupt communication channels, potentially leading to spam, customer confusion, or reputational damage. Access to debug information may facilitate further attacks by revealing sensitive internal details. Organizations relying on this plugin for appointment scheduling and event management may experience operational disruptions and loss of trust from customers. Although the vulnerability does not allow direct data exfiltration or system takeover, the ability to manipulate payment statuses and communications can have significant business consequences. The ease of exploitation (no authentication or user interaction required) increases the risk, especially for publicly accessible WordPress sites. The scope includes any organization using the affected plugin versions, which may span small businesses to larger enterprises globally.

1. Immediately update the Amelia Booking plugin to the latest version once a patch addressing CVE-2025-14720 is released by the vendor. 2. Until patches are available, restrict access to the affected AJAX endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting these endpoints. 3. Employ strict capability checks and authentication mechanisms on all AJAX actions within the plugin code if custom modifications are possible. 4. Monitor logs for unusual activity related to payment status changes and notification triggers to detect potential exploitation attempts. 5. Limit the exposure of debug information by disabling debug modes and restricting access to debug endpoints. 6. Conduct regular security audits of WordPress plugins and remove or replace plugins that are no longer maintained or have known vulnerabilities. 7. Educate staff on the risks of unauthorized refunds and establish manual verification processes for refund transactions until the vulnerability is mitigated. 8. Use security plugins that can detect and block unauthorized AJAX requests and anomalous behavior on WordPress sites.