PT-2026-28198 · WordPress · Amelia Booking Plugin
Hunter Jensen
·
Published
2026-03-26
·
Updated
2026-03-26
·
CVE-2026-2931
CVSS v3.1
8.8
High
| AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Amelia Booking plugin for WordPress versions up to 9.1.2
Description
The Amelia Booking plugin for WordPress is susceptible to Insecure Direct Object References. The plugin allows user-controlled access to objects, potentially enabling a user to bypass authorization and access system resources. Authenticated attackers with customer-level permissions or above may be able to change user passwords and potentially gain control of administrator accounts. The issue exists in the pro plugin.
Recommendations
Update the Amelia Booking plugin to a version later than 9.1.2.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Amelia Booking Plugin