CVE-2022-0837: 
WordPress vulnerability analysis and mitigation

CVE-2022-0837 affects the Amelia WordPress plugin versions below 1.0.48. The vulnerability was discovered in the plugin's SMS service functionality and was publicly disclosed on March 14, 2022. The issue was identified by Huli from Cymetrics and involves improper authorization handling in the Amelia SMS service (WPScan).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS score of 4.3 (medium). The technical flaw lies in the plugin's failure to implement proper authorization controls when handling the Amelia SMS service. This allows any customer with basic access to interact with sensitive API endpoints. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

The vulnerability enables unauthorized access to sensitive administrator information, including email addresses, account balances, and payment history. Additionally, attackers can exploit the flaw to send paid test SMS notifications, potentially depleting the account's balance through repeated unauthorized SMS transmissions (WPScan).

The vulnerability has been patched in Amelia plugin version 1.0.48. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).