Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
AnalysisAI
The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). No evidence of active exploitation (KEV) or public proof-of-concept is currently documented, but the vulnerability has been publicly disclosed by Wordfence.
Technical ContextAI
The vulnerability affects the Amelia Booking plugin (CPE: cpe:2.3:a:ameliabooking:booking_for_appointments_and_events_calendar_-_amelia:*:*:*:*:*:*:*:*), specifically the pro version distributed via CodeCanyon. The root cause is CWE-269 (Improper Privilege Management), manifesting as an Insecure Direct Object Reference in the UpdateCustomerController.php and UpdateCustomerCommandHandler.php components. The plugin fails to properly validate whether the authenticated user has authorization to modify the target user object, allowing lower-privileged users to reference and manipulate objects (user accounts) they should not have access to. The vulnerability exists in the customer update functionality where user-controlled input can specify which user account to modify without adequate permission checks, enabling horizontal and vertical privilege escalation.
RemediationAI
Upgrade the Amelia Booking pro plugin to a version newer than 9.1.2 that addresses this IDOR vulnerability. Check the vendor's CodeCanyon product page at https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497 for the latest patched version. Until patching is completed, implement compensating controls such as restricting customer account registration to trusted users only, monitoring for suspicious password change attempts through WordPress audit logs, implementing additional authentication layers like two-factor authentication for administrative accounts, and reviewing user roles to ensure principle of least privilege. Site administrators should audit recent customer account activity and password changes to identify potential exploitation, and consider temporarily disabling customer self-service capabilities if immediate patching is not possible.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16095
GHSA-cfxx-jfwh-m66r