{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2931", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-21T06:09:02.642Z", "datePublished": "2026-03-26T03:37:28.098Z", "dateUpdated": "2026-03-26T17:51:16.102Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T03:37:28.098Z"}, "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "9.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug."}], "title": "Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f7-178b9d42b4c5?source=cve"}, {"url": "https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Controller/User/Customer/UpdateCustomerController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Commands/User/Customer/UpdateCustomerCommandHandler.php#L173"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "timeline": [{"time": "2026-02-21T06:38:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T15:31:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T17:36:06.825143Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:16.102Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T17:36:06.825143Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:32.412Z"}}], "cna": {"title": "Amelia Booking <= 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change", "credits": [{"lang": "en", "type": "finder", "value": "Hunter Jensen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ameliabooking", "product": "Booking for Appointments and Events Calendar \u2013 Amelia", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "9.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-21T06:38:12.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T15:31:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f7-178b9d42b4c5?source=cve"}, {"url": "https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Controller/User/Customer/UpdateCustomerController.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Commands/User/Customer/UpdateCustomerCommandHandler.php#L173"}], "descriptions": [{"lang": "en", "value": "The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T03:37:28.098Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2931", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:51:16.102Z", "dateReserved": "2026-02-21T06:09:02.642Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T03:37:28.098Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug."}], "id": "CVE-2026-2931", "lastModified": "2026-03-26T05:16:39.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T05:16:39.030", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Commands/User/Customer/UpdateCustomerCommandHandler.php#L173"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Controller/User/Customer/UpdateCustomerController.php#L30"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f7-178b9d42b4c5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.1.2]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Booking for Appointments and Events Calendar \u2013 Amelia", "source": "cna", "vendor": "ameliabooking"}, "product": "booking_for_appointments_and_events_calendar", "vendor": "ameliabooking"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:22:54.297469+00:00", "value": {"mitigation_remediation": ["Verify the installed Amelia Booking plugin version; if it is 9.1.2 or earlier upgrade immediately to the latest release (or to a version 9.1.3 or higher that addresses the issue).", "If a patch is not yet available, temporarily remove or restrict the password\u2011change capability from customer\u2011level roles to prevent further exploitation."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation and Account Takeover"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the Amelia Booking plugin (Booking for Appointments and Events Calendar \u2013 Amelia) at version 9.1.2 or earlier is affected. This applies to all sites that have installed the plugin without upgrading to a later security\u2011patched release.", "description_and_impact": "The vulnerability in the Amelia Booking WordPress plugin allows a user to gain direct access to any user account\u2019s password change functionality irrespective of the account\u2019s role. An attacker who has authenticated access with customer-level permissions or higher can alter the password of any user, including administrators, which effectively enables account takeover and complete control over the site\u2019s administrative functions.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.8, indicating a high severity level. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack path requires the attacker to be authenticated and have at least customer-level privileges, after which they can call the plugin\u2019s password\u2011change endpoint using arbitrary user identifiers. Because the underlying access control check is missing, the exploit is straightforward for anyone with access to the plugin\u2019s authenticated interface. The combination of operational impact and ease of exploitation results in a high risk to affected sites."}}}}, "created": "2026-03-26T11:30:39.116988+00:00", "updated": "2026-03-26T12:08:39.667815+00:00", "vendors": ["ameliabooking", "ameliabooking$PRODUCT$booking_for_appointments_and_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}