Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint, exploitable by any Subscriber-level account (PR:L) with no user interaction, yielding full site compromise after privilege escalation (C:H/I:H/A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Privilege Escalation in Amelia <= 2.3 versions.
AnalysisAI
Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Amelia (CPE cpe:2.3:a:tms:amelia) is a commercial WordPress appointment and event booking plugin published by TMS-Plugins. The root cause maps to CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or trusts a privilege level greater than what should be granted to a Subscriber-level WordPress account, typically because a plugin endpoint relies on a request parameter or capability check that does not properly enforce the WordPress role/capability model. In WordPress, Subscriber is the lowest authenticated role and is granted automatically by many sites that allow open registration, so any plugin path that permits Subscribers to perform higher-privileged actions effectively bridges public access to administrative functionality.
RemediationAI
Patch available per vendor advisory; consult the Patchstack listing at https://patchstack.com/database/wordpress/plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-2-3-privilege-escalation-vulnerability and the wpAmelia changelog to identify and install the fixed release (a version greater than 2.3) - the exact patched version was not included in the supplied data and should be confirmed against TMS-Plugins' official changelog before deployment. As an interim workaround, disable open WordPress user registration (Settings > General > 'Anyone can register') or restrict the default new-user role away from Subscriber to limit who can reach the vulnerable endpoint, accepting that this will block any legitimate self-service signup flow. Additionally, deactivating the Amelia plugin or restricting access to /wp-admin/admin-ajax.php and Amelia REST routes via a WAF rule scoped to Subscriber sessions can mitigate exploitation, with the trade-off of breaking booking functionality for legitimate authenticated users.
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in a
Missing Authorization vulnerability in TMS Amelia ameliabooking.0.98. Rated critical severity (CVSS 9.8), this vulnerabi
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any cu
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any cu
Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unkn
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow a
Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged
Unauthenticated sensitive data exposure in the Amelia (Amelia Booking) WordPress plugin versions 2.2 and earlier allows
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the l
The Booking for Appointments and Events Calendar - Amelia Premium and Lite plugins for WordPress are vulnerable to unaut
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36862
GHSA-5w54-736m-65hf