Description
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the Amelia Booking WordPress plugin allows a user to gain direct access to any user account’s password change functionality irrespective of the account’s role. An attacker who has authenticated access with customer-level permissions or higher can alter the password of any user, including administrators, which effectively enables account takeover and complete control over the site’s administrative functions.

Affected Systems

Any WordPress installation that has the Amelia Booking plugin (Booking for Appointments and Events Calendar – Amelia) at version 9.1.2 or earlier is affected. This applies to all sites that have installed the plugin without upgrading to a later security‑patched release.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating a high severity level. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The attack path requires the attacker to be authenticated and have at least customer-level privileges, after which they can call the plugin’s password‑change endpoint using arbitrary user identifiers. Because the underlying access control check is missing, the exploit is straightforward for anyone with access to the plugin’s authenticated interface. The combination of operational impact and ease of exploitation results in a high risk to affected sites.

Generated by OpenCVE AI on March 26, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed Amelia Booking plugin version; if it is 9.1.2 or earlier upgrade immediately to the latest release (or to a version 9.1.3 or higher that addresses the issue).
  • If a patch is not yet available, temporarily remove or restrict the password‑change capability from customer‑level roles to prevent further exploitation.

Generated by OpenCVE AI on March 26, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ameliabooking
Ameliabooking booking For Appointments And Events Calendar
Wordpress
Wordpress wordpress
Vendors & Products Ameliabooking
Ameliabooking booking For Appointments And Events Calendar
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
Title Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ameliabooking Booking For Appointments And Events Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:38.336Z

Reserved: 2026-02-21T06:09:02.642Z

Link: CVE-2026-2931

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:32.412Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T05:16:39.030

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-2931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:39Z

Weaknesses