CVE-2026-2931 - Vulnerability Analysis

Overview

Amelia Booking WordPress plugin <= 9.1.2 contains an insecure direct object reference caused by user-controlled access to objects in the pro plugin, letting authenticated users with customer-level permissions change passwords and take over admin accounts.

Severity & Score

Impact

Authenticated users can change passwords and potentially take over administrator accounts, leading to full system compromise.

Mitigation

Update to the latest version beyond 9.1.2.

References

• https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497
• https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Commands/User/Customer/UpdateCustomerCommandHandler.php#L173
• https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Controller/User/Customer/UpdateCustomerController.php#L30
• https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f7-178b9d42b4c5?source=cve

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 26, 2026

🟠 CVE-2026-2931 - High (8.8) The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and acce... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2931/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner