Booking For Appointments And Events Calendar Amelia

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-5465 HIGH This Week

Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.

WordPress PHP Privilege Escalation Booking For Appointments And Events Calendar Amelia
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-5465
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated privilege escalation to Administrator in Amelia WordPress plugin (all versions ≤2.1.3) allows Provider-level users to hijack any account via Insecure Direct Object Reference. Attackers manipulate the externalId parameter during profile updates to map their session to arbitrary WordPress user IDs, including administrators, bypassing all authorization checks before password reset and user modification operations. EPSS data not provided; no confirmed active exploitation (CISA KEV) at time of analysis, though public exploit code exists via disclosed source code references.

WordPress PHP Privilege Escalation +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy