What the vulnerability does
01Description
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
Explanation of Vulnerability in Simple Terms
02Summary
Amelia Booking for Appointments and Events Calendar versions up to 9.1.2 contain a privilege management flaw that allows authenticated users with low-level access to read, modify, or delete sensitive data and disrupt site operations. An attacker with a standard user account can escalate their capabilities without additional interaction. This affects confidentiality, integrity, and availability of the booking system.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive booking data and disrupt site operations.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter appointment data, customer information, and calendar settings.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., customer or basic staff login).
Key dates
06Disclosure timeline
March 26, 2026
CVE published
April 8, 2026
Record updated