How to fix EUVD-2026-19580?

Within 24 hours: Disable or remove the Amelia plugin from all WordPress installations and audit Provider-level user accounts for unauthorized activity. Within 7 days: Inventory all systems using Amelia ≤2.1.3, verify no unauthorized account modifications occurred, and reset all administrator credentials. Within 30 days: Evaluate alternative scheduling/booking plugins, implement application-level access controls to restrict Provider role capabilities, and deploy Web Application Firewall rules to block externalId parameter manipulation attempts until a patched version is available.

Is PHP affected by EUVD-2026-19580?

The Amelia WordPress plugin (versions ≤2.1.3) contains a critical privilege escalation vulnerability that allows authenticated Provider-level users to take control of any WordPress account, including administrator accounts, through parameter manipulation.

EUVD-2026-19580

| CVE-2026-5465 HIGH

2026-04-07 Wordfence

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 07, 2026 - 07:15 vuln.today

EUVD ID Assigned

Apr 07, 2026 - 07:15 euvd

EUVD-2026-19580

CVE Published

Apr 07, 2026 - 06:43 nvd

HIGH 8.8

Description

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account - including Administrator - by injecting an arbitrary `externalId` value when updating their own provider profile.

Analysis

Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. …

Remediation

Within 24 hours: Disable or remove the Amelia plugin from all WordPress installations and audit Provider-level user accounts for unauthorized activity. Within 7 days: Inventory all systems using Amelia ≤2.1.3, verify no unauthorized account modifications occurred, and reset all administrator credentials. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

EUVD-2026-19580 vulnerability details – vuln.today

Back

EUVD-2026-19580

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-19580

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code