Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

The Amelia plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to 2.1.3. The UpdateProviderCommandHandler does not check whether the `externalId` field being updated belongs to the currently authenticated Provider user. Because `externalId` is directly mapped to a WordPress user ID and is passed to wp_set_password() and wp_update_user() without authorization checks, an authenticated Provider can set the field to any numeric value. The affected system then resets the password and updates the user profile of the target account. This allows the attacker to take over any WordPress account, including administrators.

Affected Systems

All releases of the Amelia Booking for Appointments and Events Calendar plugin for WordPress up to and including version 2.1.3 are affected. The vulnerability exists in the plugin code that handles Provider profile updates. The issue applies to any WordPress installation that uses the Amelia plugin where a Provider (or more privileged user) can log in and edit their provider profile.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. Exploitation requires the attacker to be an authenticated Provider user or higher, and to access the provider profile update feature. Once authenticated, the attacker can simply submit a payload containing an arbitrary externalId equal to the numeric WordPress user ID of the target account. Because the plugin forwards this value to core WordPress functions without permission checks, no additional privileges or software features are needed. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the lack of authorization checks means that any Provider-level user can immediately take ownership of any account, posing a significant risk to site integrity and confidentiality.

Generated by OpenCVE AI on April 7, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amelia plugin to the latest available version where the issue is fixed.
  • If an upgrade cannot be performed immediately, remove or restrict the ability for Provider users to change the externalId field by adding validation that the value matches the current WordPress user ID.
  • Monitor WordPress user accounts for unexpected changes to passwords or IDs to detect potential exploitation.

Generated by OpenCVE AI on April 7, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Ameliabooking
Ameliabooking booking For Appointments And Events Calendar
Wordpress
Wordpress wordpress
Vendors & Products Ameliabooking
Ameliabooking booking For Appointments And Events Calendar
Wordpress
Wordpress wordpress

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Title Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ameliabooking Booking For Appointments And Events Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:58.210Z

Reserved: 2026-04-03T06:28:11.890Z

Link: CVE-2026-5465

cve-icon Vulnrichment

Updated: 2026-04-07T13:13:18.698Z

cve-icon NVD

Status : Deferred

Published: 2026-04-07T07:16:24.050

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:24Z

Weaknesses