Vulnerability Description
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress
- https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Applicatio
- https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Applicatio
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f
FAQ
What is CVE-2026-2931?
CVE-2026-2931 is a vulnerability with a CVSS score of 8.8 (HIGH). The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to object...
How severe is CVE-2026-2931?
CVE-2026-2931 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-2931?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.