Skip to main content

WordPress CVE-2026-5465

| EUVDEUVD-2026-19580 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-07 Wordfence
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
EUVD ID Assigned
Apr 07, 2026 - 07:15 euvd
EUVD-2026-19580
Analysis Generated
Apr 07, 2026 - 07:15 vuln.today
CVE Published
Apr 07, 2026 - 06:43 nvd
HIGH 8.8

DescriptionCVE.org

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider (Employee) user updates their own profile. The externalId maps directly to a WordPress user ID and is passed to wp_set_password() and wp_update_user() without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account - including Administrator - by injecting an arbitrary externalId value when updating their own provider profile.

AnalysisAI

Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.

Technical ContextAI

The vulnerability exists in the UpdateProviderCommandHandler class within the Amelia booking plugin for WordPress (CPE: cpe:2.3:a:ameliabooking:booking_for_appointments_and_events_calendar_-_amelia). The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the externalId field-which directly maps to WordPress core user IDs-is accepted from user input without validation. When a Provider user updates their profile, the application passes this attacker-controlled externalId to WordPress core functions wp_set_password() and wp_update_user() at lines 146, 219, and 239 of UpdateProviderCommandHandler.php. This creates a classic IDOR condition where access control relies on client-supplied identifiers rather than server-side session validation. The plugin's trust boundary failure allows low-privileged authenticated users to reference and modify high-privilege user objects by injecting target user IDs, effectively treating user-supplied keys as authoritative for access decisions.

RemediationAI

Immediately upgrade the Amelia plugin to version 2.1.4 or later, which contains the authorization fix implemented in WordPress plugin repository changeset 3499608. The patch modifies the UpdateProviderCommandHandler to properly validate externalId changes against the authenticated user's session context before invoking wp_set_password() and wp_update_user(). Site administrators should review access logs for suspicious Provider account activity, particularly profile update operations, and audit all WordPress user accounts for unauthorized privilege changes. If immediate patching is not feasible, temporarily restrict Provider-level user access or disable the profile update functionality through custom code hooks until the update can be applied. After patching, force password resets for all administrative accounts as a precautionary measure. Full technical details of the fix are available in the changeset at https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php. Wordfence users should ensure their firewall rules are updated to detect exploitation attempts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-5465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy