Home

Description

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.

PUBLISHED Reserved 2026-02-21 | Published 2026-03-26 | Updated 2026-04-08 | Assigner Wordfence




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-21:Vendor Notified
2026-03-25:Disclosed

Credits

Hunter Jensen finder

References

www.wordfence.com/...-ab7b-41d8-a8f7-178b9d42b4c5?source=cve

codecanyon.net/...ointment-booking-wordpress-plugin/22067497

plugins.trac.wordpress.org/...r/UpdateCustomerController.php

plugins.trac.wordpress.org/...dateCustomerCommandHandler.php

cve.org (CVE-2026-2931)

nvd.nist.gov (CVE-2026-2931)

Download JSON