Insecure Direct Object Reference in Amelia Booking Plugin for WordPress
CVE-2026-5465

8.8HIGH

Key Information:

Vendor: WordPress
Status: Booking For Appointments And Events Calendar – Amelia
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-5465?

The Amelia Booking for Appointments and Events Calendar plugin for WordPress contains a vulnerability that allows authenticated users with Provider (Employee) access to bypass authorization checks when updating their profile. This weakness arises from the failure to validate the externalId field, which directly maps to a WordPress user ID. As a result, attackers can inject an arbitrary externalId when modifying their profile, enabling them to take control of any WordPress account, including those with administrative privileges. It is crucial for users of this plugin to update to the latest version to safeguard against potential account takeovers.

Affected Version(s)

Booking for Appointments and Events Calendar – Amelia 0 <= 2.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ameliabooking/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-5465 Data

JSON