Skip to main content

Amelia CVE-2026-48889

| EUVDEUVD-2026-36862 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-5w54-736m-65hf
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint, exploitable by any Subscriber-level account (PR:L) with no user interaction, yielding full site compromise after privilege escalation (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:43 vuln.today

DescriptionCVE.org

Subscriber Privilege Escalation in Amelia <= 2.3 versions.

AnalysisAI

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Amelia (CPE cpe:2.3:a:tms:amelia) is a commercial WordPress appointment and event booking plugin published by TMS-Plugins. The root cause maps to CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or trusts a privilege level greater than what should be granted to a Subscriber-level WordPress account, typically because a plugin endpoint relies on a request parameter or capability check that does not properly enforce the WordPress role/capability model. In WordPress, Subscriber is the lowest authenticated role and is granted automatically by many sites that allow open registration, so any plugin path that permits Subscribers to perform higher-privileged actions effectively bridges public access to administrative functionality.

RemediationAI

Patch available per vendor advisory; consult the Patchstack listing at https://patchstack.com/database/wordpress/plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-2-3-privilege-escalation-vulnerability and the wpAmelia changelog to identify and install the fixed release (a version greater than 2.3) - the exact patched version was not included in the supplied data and should be confirmed against TMS-Plugins' official changelog before deployment. As an interim workaround, disable open WordPress user registration (Settings > General > 'Anyone can register') or restrict the default new-user role away from Subscriber to limit who can reach the vulnerable endpoint, accepting that this will block any legitimate self-service signup flow. Additionally, deactivating the Amelia plugin or restricting access to /wp-admin/admin-ajax.php and Amelia REST routes via a WAF rule scoped to Subscriber sessions can mitigate exploitation, with the trade-off of breaking booking functionality for legitimate authenticated users.

More in Amelia

View all
CVE-2022-0687 HIGH POC
8.8 Mar 21

The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user

CVE-2022-0627 MEDIUM POC
6.1 Mar 21

The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in a

CVE-2024-22298 CRITICAL
9.8 Jun 10

Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2022-0837 MEDIUM POC
5.4 Apr 04

The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing

CVE-2022-0825 MEDIUM POC
5.4 Apr 04

The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any cu

CVE-2022-0720 MEDIUM POC
5.4 Mar 28

The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any cu

CVE-2026-57702 CRITICAL
9.3 Jul 13

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unkn

CVE-2022-0616 MEDIUM POC
4.3 Mar 21

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow a

CVE-2026-39487 HIGH
7.6 Apr 08

Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged

CVE-2026-40789 HIGH
7.5 Jun 15

Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows

CVE-2022-0834 HIGH
7.2 Mar 23

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the l

CVE-2024-6332 MEDIUM
6.5 Sep 05

The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unaut

Share

CVE-2026-48889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy