CVE-2026-2931

Name of the Vulnerable Software and Affected Versions Amelia Booking plugin for WordPress versions up to 9.1.2

Description The Amelia Booking plugin for WordPress is susceptible to Insecure Direct Object References. The plugin allows user-controlled access to objects, potentially enabling a user to bypass authorization and access system resources. Authenticated attackers with customer-level permissions or above may be able to change user passwords and potentially gain control of administrator accounts. The issue exists in the pro plugin.

Recommendations Update the Amelia Booking plugin to a version later than 9.1.2.