Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider (Employee) user updates their own profile. The externalId maps directly to a WordPress user ID and is passed to wp_set_password() and wp_update_user() without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account - including Administrator - by injecting an arbitrary externalId value when updating their own provider profile.
AnalysisAI
Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.
Technical ContextAI
The vulnerability exists in the UpdateProviderCommandHandler class within the Amelia booking plugin for WordPress (CPE: cpe:2.3:a:ameliabooking:booking_for_appointments_and_events_calendar_-_amelia). The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), where the externalId field-which directly maps to WordPress core user IDs-is accepted from user input without validation. When a Provider user updates their profile, the application passes this attacker-controlled externalId to WordPress core functions wp_set_password() and wp_update_user() at lines 146, 219, and 239 of UpdateProviderCommandHandler.php. This creates a classic IDOR condition where access control relies on client-supplied identifiers rather than server-side session validation. The plugin's trust boundary failure allows low-privileged authenticated users to reference and modify high-privilege user objects by injecting target user IDs, effectively treating user-supplied keys as authoritative for access decisions.
RemediationAI
Immediately upgrade the Amelia plugin to version 2.1.4 or later, which contains the authorization fix implemented in WordPress plugin repository changeset 3499608. The patch modifies the UpdateProviderCommandHandler to properly validate externalId changes against the authenticated user's session context before invoking wp_set_password() and wp_update_user(). Site administrators should review access logs for suspicious Provider account activity, particularly profile update operations, and audit all WordPress user accounts for unauthorized privilege changes. If immediate patching is not feasible, temporarily restrict Provider-level user access or disable the profile update functionality through custom code hooks until the update can be applied. After patching, force password resets for all administrative accounts as a precautionary measure. Full technical details of the fix are available in the changeset at https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php. Wordfence users should ensure their firewall rules are updated to detect exploitation attempts.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19580