Platform
wordpress
Component
ameliabooking
Fixed in
2.1.4
CVE-2026-5465 describes a Privilege Escalation vulnerability discovered in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. This flaw allows authenticated attackers with Provider (Employee) access or higher to escalate their privileges and take control of other WordPress user accounts. The vulnerability affects versions 0.0.0 through 2.1.3, and a fix is available in version 2.2.
The impact of this vulnerability is significant. An attacker with Provider-level access can leverage the insecure externalId field to modify the WordPress user ID associated with other accounts. This allows them to effectively take over those accounts, gaining full control over their associated data and permissions within the WordPress environment. Successful exploitation could lead to unauthorized access to sensitive customer information, modification of appointment schedules, or even complete compromise of the WordPress site. This vulnerability shares similarities with other insecure direct object reference (IDOR) flaws where insufficient authorization checks allow unauthorized access to resources.
CVE-2026-5465 was published on 2026-04-07. Its severity is rated HIGH with a CVSS score of 8.8. There is currently no indication that this vulnerability is being actively exploited in the wild, but the ease of exploitation and potential impact warrant immediate attention. No public Proof-of-Concept (POC) exploits have been publicly released as of this writing. This vulnerability is not listed on CISA’s Known Exploited Vulnerabilities catalog (KEV) or has a low EPSS score, suggesting a currently low probability of exploitation.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5465 is to upgrade the Amelia WordPress plugin to version 2.2 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. Restrict access to the provider profile update functionality to only authorized administrators. Implement stricter input validation on the externalId field, ensuring it matches the expected format and is properly authorized. Monitor WordPress logs for suspicious activity related to user account modifications and password resets. After upgrading, confirm the fix by attempting to update another user's password as a Provider user – the operation should be denied.
Update to version 2.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5465 is a HIGH severity vulnerability in the Amelia WordPress plugin allowing authenticated attackers to escalate privileges and take over user accounts by manipulating the 'externalId' field. It affects versions 0.0.0–2.1.3.
If you are using the Amelia WordPress plugin and your version is between 0.0.0 and 2.1.3 (inclusive), you are potentially affected by this vulnerability. Check your plugin version immediately.
The recommended fix is to upgrade the Amelia WordPress plugin to version 2.2 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access and input validation.
As of now, there is no public evidence of CVE-2026-5465 being actively exploited in the wild, but the potential impact warrants prompt remediation.
Refer to the official Amelia WordPress plugin website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-5465.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.