Description
Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16.
Published: 2025-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference in the Amelia WordPress plugin, allowing an attacker to bypass authorization by manipulating a user‑controlled key. This flaw can be used to access or modify resources that the user should not be able to reach, potentially leading to disclosure or alteration of sensitive data. The weakness is classified as CWE‑639, indicating that improper checks on resource ownership enable an unauthorized user to exploit the system.

Affected Systems

The flaw affects the Amelia booking plugin for WordPress, versions up to and including 1.2.16. Any site running an affected version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that widespread exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation. The attack vector is inferred to be a crafted request that directly references protected objects, so an attacker must be able to identify valid keys and have some level of access to interact with the plugin's endpoints.

Generated by OpenCVE AI on May 1, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Amelia to version 1.2.17 or later, which removes the IDOR flaw.
  • Verify that user roles and capabilities are correctly configured, limiting access to booking functionality to authorized users only.
  • Inspect the site’s access logs for suspicious requests targeting booking endpoints and implement a web–application firewall rule to block requests with unexpected key patterns.

Generated by OpenCVE AI on May 1, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5441 Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16. Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Amelia: from n/a through <= 1.2.16.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 25 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16.
Title WordPress Amelia plugin <= 1.2.16 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.733Z

Reserved: 2025-02-17T11:51:33.746Z

Link: CVE-2025-26965

cve-icon Vulnrichment

Updated: 2025-02-25T14:54:59.090Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:29.703

Modified: 2026-04-29T10:16:43.283

Link: CVE-2025-26965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:30:20Z

Weaknesses