Platform
wordpress
Component
ameliabooking
Fixed in
9.1.3
CVE-2026-2931 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the Amelia Booking plugin for WordPress. This vulnerability allows authenticated attackers with customer-level permissions or higher to bypass authorization checks and access system resources, potentially leading to account takeover. This issue affects versions up to and including 9.1.2. The vulnerability has been fixed in version 9.2.
CVE-2026-2931 in the Amelia Booking plugin for WordPress presents a significant security risk. This vulnerability is an Insecure Direct Object Reference (IDOR), allowing authenticated attackers with customer-level permissions or higher to bypass authorization and access system resources. A successful exploit could enable attackers to modify user passwords, potentially leading to administrator account takeover and complete website compromise. The vulnerability specifically affects the pro plugin, broadening the potential impact. The CVSS score of 8.8 indicates a high severity, demanding immediate attention to prevent potential breaches.
An attacker with customer-level or higher credentials on a website using the Amelia Pro plugin can exploit this vulnerability. The attacker could manipulate HTTP request parameters to access functionalities not intended for their access level. For example, they might modify a request to change a user's password using a manipulated URL or parameter. The lack of proper object validation allows this manipulation. Exploitation success depends on the attacker's authentication and their ability to identify and manipulate the correct parameters. The exploitation complexity is relatively low, increasing the risk of exploitation by attackers with varying technical skills.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2026-2931 is to update the Amelia plugin to the latest version (9.2 or higher). The developers have released an update that addresses the IDOR flaw by implementing proper access controls for internal system objects. As a temporary measure, restrict user permissions to the bare minimum required, limiting access to sensitive functions. Regularly monitor website logs for suspicious activity that might indicate an exploitation attempt. Prompt patching is crucial for maintaining website security and protecting user data.
Update to version 9.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability that occurs when an application allows users to access internal objects without proper validation. This allows attackers to manipulate requests to access objects they shouldn't have access to.
The vulnerability affects websites using the Pro version of the Amelia plugin up to version 9.1.2.
Check the version of the Amelia plugin you are using. If it's below 9.2, your website is vulnerable.
As a temporary measure, restrict user permissions and monitor website logs for suspicious activity.
You can find more information on vulnerability databases like the National Vulnerability Database (NVD) and on WordPress support forums.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.