CVE-2026-2931 HIGH

CVE-2026-2931: Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change

Vendor Ameliabooking
Product Booking for Appointments and Events Calendar – Amelia
Weakness CWE-269
Published March 26, 2026
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.

Explanation of Vulnerability in Simple Terms

02Summary

Amelia Booking for Appointments and Events Calendar versions up to 9.1.2 contain a privilege management flaw that allows authenticated users with low-level access to read, modify, or delete sensitive data and disrupt site operations. An attacker with a standard user account can escalate their capabilities without additional interaction. This affects confidentiality, integrity, and availability of the booking system.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive booking data and disrupt site operations.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter appointment data, customer information, and calendar settings.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., customer or basic staff login).

Key dates

06Disclosure timeline

March 26, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE