CVE-2026-5465

Name of the Vulnerable Software and Affected Versions Amelia plugin for WordPress versions up to and including 2.1.3

Description The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is susceptible to Insecure Direct Object Reference. The UpdateProviderCommandHandler does not properly validate modifications to the externalId field when a Provider (Employee) user updates their profile. The externalId directly corresponds to a WordPress user ID and is used in the wp set password() and wp update user() functions without authorization checks. This allows authenticated attackers with Provider-level (Employee) access or higher to potentially compromise any WordPress account, including Administrator accounts, by manipulating the externalId value during their own provider profile update.

Recommendations Update the Amelia plugin to a version later than 2.1.3.