CVE-2022-0687
📋 TL;DR
The Amelia WordPress plugin before version 1.0.47 allows authenticated users with the 'Amelia Manager' role to upload files with arbitrary extensions, potentially enabling PHP backdoor uploads. This vulnerability affects WordPress sites using vulnerable versions of the Amelia plugin. Attackers can achieve remote code execution if they gain access to a compromised Amelia Manager account.
💻 Affected Systems
- Amelia WordPress Booking Plugin
📦 What is this software?
Amelia by Tms Outsource
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise through PHP backdoor upload leading to complete server control, data theft, and lateral movement within the hosting environment.
Likely Case
Unauthorized file upload leading to backdoor persistence, defacement, or data exfiltration from the WordPress site.
If Mitigated
Limited impact if proper file extension validation and user role restrictions are implemented.
🎯 Exploit Status
Exploitation requires authenticated access with Amelia Manager privileges. Public proof-of-concept demonstrates file upload bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.47
Vendor Advisory: https://wpscan.com/vulnerability/3cf05815-9b74-4491-a935-d69a0834146c
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Amelia plugin and update to version 1.0.47 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict Amelia Manager Role Access
allTemporarily remove or restrict users with Amelia Manager role until patch is applied.
Navigate to Users > All Users in WordPress admin, review users with Amelia Manager role
File Upload Restriction via .htaccess
linuxBlock PHP file execution in upload directories.
Add to .htaccess in uploads directory: <FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove Amelia plugin entirely if not essential
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Amelia version. If version is below 1.0.47, system is vulnerable.Check Version:
wp plugin list --name=amelia --field=versionVerify Fix Applied:
Confirm Amelia plugin version is 1.0.47 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/amelia/ with .php extensions
- Multiple failed login attempts to Amelia Manager accounts
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Unusual outbound connections from WordPress server
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND params CONTAINS "action=wp_ajax_amelia_upload_file")