{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5465", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-03T06:28:11.890Z", "datePublished": "2026-04-07T06:43:41.045Z", "dateUpdated": "2026-04-08T17:12:58.210Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:58.210Z"}, "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account \u2014 including Administrator \u2014 by injecting an arbitrary `externalId` value when updating their own provider profile."}], "title": "Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-04-03T06:43:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-06T18:13:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:13:09.198377Z", "id": "CVE-2026-5465", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:13:24.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5465", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T13:13:09.198377Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:13:18.698Z"}}], "cna": {"title": "Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-03T06:43:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-06T18:13:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php"}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account \u2014 including Administrator \u2014 by injecting an arbitrary `externalId` value when updating their own provider profile."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-07T06:43:41.045Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5465", "state": "PUBLISHED", "dateUpdated": "2026-04-07T13:13:24.738Z", "dateReserved": "2026-04-03T06:28:11.890Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-07T06:43:41.045Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account \u2014 including Administrator \u2014 by injecting an arbitrary `externalId` value when updating their own provider profile."}], "id": "CVE-2026-5465", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-07T07:16:24.050", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T09:51:51.121695+00:00", "value": {"mitigation_remediation": ["Upgrade the Amelia plugin to the latest available version where the issue is fixed.", "If an upgrade cannot be performed immediately, remove or restrict the ability for Provider users to change the externalId field by adding validation that the value matches the current WordPress user ID.", "Monitor WordPress user accounts for unexpected changes to passwords or IDs to detect potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "All releases of the Amelia Booking for Appointments and Events Calendar plugin for WordPress up to and including version 2.1.3 are affected. The vulnerability exists in the plugin code that handles Provider profile updates. The issue applies to any WordPress installation that uses the Amelia plugin where a Provider (or more privileged user) can log in and edit their provider profile.", "description_and_impact": "The Amelia plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to 2.1.3. The UpdateProviderCommandHandler does not check whether the `externalId` field being updated belongs to the currently authenticated Provider user. Because `externalId` is directly mapped to a WordPress user ID and is passed to wp_set_password() and wp_update_user() without authorization checks, an authenticated Provider can set the field to any numeric value. The affected system then resets the password and updates the user profile of the target account. This allows the attacker to take over any WordPress account, including administrators.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. Exploitation requires the attacker to be an authenticated Provider user or higher, and to access the provider profile update feature. Once authenticated, the attacker can simply submit a payload containing an arbitrary externalId equal to the numeric WordPress user ID of the target account. Because the plugin forwards this value to core WordPress functions without permission checks, no additional privileges or software features are needed. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the lack of authorization checks means that any Provider-level user can immediately take ownership of any account, posing a significant risk to site integrity and confidentiality."}}}}, "created": "2026-04-08T19:49:59.021993+00:00", "updated": "2026-04-08T19:49:59.022025+00:00", "vendors": []}