Is WordPress affected by EUVD-2026-16095?

A critical vulnerability in the Amelia Booking WordPress plugin (versions ≤9.1.2) allows customer-level users to hijack administrator accounts and take over the entire website. Any organization using this plugin is at immediate risk of complete compromise, regardless of current user access controls.

EUVD-2026-16095

| CVE-2026-2931 HIGH

2026-03-26 Wordfence

GHSA-cfxx-jfwh-m66r

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 04:30 euvd

EUVD-2026-16095

Analysis Generated

Mar 26, 2026 - 04:30 vuln.today

CVE Published

Mar 26, 2026 - 03:37 nvd

HIGH 8.8

Description

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.

Analysis

The Amelia Booking plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in versions up to and including 9.1.2 that allows authenticated attackers with customer-level permissions to bypass authorization controls and modify user passwords, including administrator accounts, potentially leading to complete site takeover. This vulnerability affects the pro version of the plugin available on CodeCanyon and carries a CVSS score of 8.8 (HIGH). …

Remediation

Within 24 hours: Audit all users with Amelia Booking access and review recent password changes and administrative activity; disable the plugin if it is not business-critical. Within 7 days: Contact CodeCanyon/the vendor for patch availability and timeline; implement network segmentation to restrict plugin access to trusted IP ranges only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

EUVD-2026-16095 vulnerability details – vuln.today

Back

EUVD-2026-16095

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-16095

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code