CVE-2026-24963 HIGH

CVE-2026-24963: WordPress Amelia plugin <= 1.2.38 - Privilege Escalation vulnerability

Vendor Ameliabooking
Product Amelia
Weakness CWE-266
Published March 5, 2026
Last update April 28, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooking allows Privilege Escalation.This issue affects Amelia: from n/a through <= 1.2.38.

Explanation of Vulnerability in Simple Terms

02Summary

Amelia versions up to 1.2.38 contain an improper access control vulnerability affecting high-privilege users. An authenticated administrator can read, modify, or delete sensitive data and system settings without proper authorization checks. The vulnerability requires valid admin credentials and does not require user interaction. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and system settings with admin-level access.

Potential impact on your site

04Site Impact

Administrators with compromised credentials can cause data loss, configuration changes, or unauthorized access to booking and customer information.

Conditions required to exploit

05Prerequisites

Valid administrator account credentials; network access to the Amelia admin interface.

Key dates

06Disclosure timeline

March 5, 2026 CVE published
April 28, 2026 Record updated