Description
Subscriber Privilege Escalation in Amelia <= 2.3 versions.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a subscriber account in the WordPress Amelia plugin, versions 2.3 and earlier, to gain higher‑level privileges without authorization. This is a privilege escalation flaw classified as CWE‑266. The impact is that an attacker who can log in as a normal subscriber could obtain administrative rights, enabling full control over the plugin and potentially the website content.

Affected Systems

WordPress Amelia plugin, versions 2.3 and earlier, are affected. The plugin is hosted within WordPress installations and the issue exists before any official patch to version 2.4.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated subscriber account, implying an attacker must first obtain or assume such credentials. Once authenticated, a privilege escalation path exists that can elevate the attacker to administrative level.

Generated by OpenCVE AI on June 18, 2026 at 03:20 UTC.

Remediation

Vendor Solution

Update the WordPress Amelia Plugin to the latest available version (at least 2.4).


OpenCVE Recommended Actions

  • Apply the vendor’s official patch by upgrading the Amelia plugin to version 2.4 or later.
  • If an immediate update is not possible, disable or uninstall the Amelia plugin to eliminate the vulnerability from the environment.
  • Regularly audit user accounts and activity logs for unauthorized privilege changes or escalation attempts.

Generated by OpenCVE AI on June 18, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Tms
Tms amelia
Wordpress
Wordpress wordpress
Vendors & Products Tms
Tms amelia
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in Amelia <= 2.3 versions.
Title WordPress Amelia plugin <= 2.3 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:21:59.053Z

Reserved: 2026-05-25T22:37:16.413Z

Link: CVE-2026-48889

cve-icon Vulnrichment

Updated: 2026-06-16T01:21:54.482Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:18.087

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:49Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment