Description
Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooking allows Privilege Escalation.This issue affects Amelia: from n/a through <= 1.2.38.
Published: 2026-03-05
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Incorrect Privilege Assignment flaw that allows an attacker to elevate their privileges within a WordPress site where the Amelia booking plugin is installed. By exploiting this weakness, a non‑authoritative user can gain administrative or other privileged capabilities, potentially leading to complete compromise of the site’s configuration and data. The weakness is identified as CWE-266, indicating an improper assignment of security attributes.

Affected Systems

The issue affects the Amelia plugin for WordPress from unspecified earlier releases through version 1.2.38. Users running any of these versions are susceptible.

Risk and Exploitability

The CVSS v3.1 score is 7.2, reflecting a fairly high severity. The EPSS score is below 1% and the vulnerability is not listed in CISA's KEV catalog, suggesting low current exploitation likelihood. Nevertheless, because the flaw leads to privilege escalation, any attacker who can reach the WordPress site and trigger the plugin’s privileged operations could exploit it. The likely attack vector is through the web interface of the site, possibly via crafted HTTP requests targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 16, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Amelia to a version later than 1.2.38 or apply the vendor’s patch if available
  • If an update is not immediately possible, temporarily disable or remove the Amelia plugin to prevent the escalation path
  • Ensure that user role permissions are correctly configured so that only trusted administrators have access to the plugin’s privileged functions

Generated by OpenCVE AI on April 16, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ameliabooking
Ameliabooking amelia
Wordpress
Wordpress wordpress
Vendors & Products Ameliabooking
Ameliabooking amelia
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooking allows Privilege Escalation.This issue affects Amelia: from n/a through <= 1.2.38.
Title WordPress Amelia plugin <= 1.2.38 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Ameliabooking Amelia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:36.195Z

Reserved: 2026-01-28T09:50:35.465Z

Link: CVE-2026-24963

cve-icon Vulnrichment

Updated: 2026-03-09T13:52:55.331Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:23.173

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-24963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses