Amelia WordPress Plugin IDOR Vulnerability CVE-2026-5465

The Amelia WordPress plugin, specifically the “Booking for Appointments and Events Calendar”, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-5465) in versions up to and including 2.1.3. This flaw resides within the UpdateProviderCommandHandler and stems from insufficient validation when a Provider (Employee) user modifies their profile. The critical issue is the ability to manipulate the externalId field, which directly corresponds to a WordPress user ID. By injecting an arbitrary externalId value during a profile update, an authenticated attacker with Provider-level access or higher can bypass authorization checks. This oversight permits the attacker to execute functions such as wp_set_password() and wp_update_user() on behalf of any other user, including those with Administrator privileges. This vulnerability allows for complete account takeover, representing a significant risk for organizations utilizing the vulnerable plugin.

Attack Chain

1. An attacker gains authenticated access to a WordPress instance with the Amelia plugin installed, possessing at least Provider (Employee) level privileges.
2. The attacker navigates to their user profile within the Amelia plugin interface.
3. The attacker intercepts the HTTP request generated when updating their profile using a tool like Burp Suite or browser developer tools.
4. The attacker modifies the externalId parameter within the intercepted HTTP request, replacing its original value with the WordPress user ID of the target account they wish to compromise (e.g., the Administrator account, typically user ID 1).
5. The attacker sends the modified HTTP request to the server.
6. Due to the IDOR vulnerability, the UpdateProviderCommandHandler fails to validate the manipulated externalId value.
7. The Amelia plugin’s backend utilizes the attacker-controlled externalId to call wp_set_password() and/or wp_update_user() on the target account.
8. The attacker successfully changes the password or other profile details of the target account, achieving complete account takeover and escalating privileges.

Impact

Successful exploitation of CVE-2026-5465 allows an attacker with minimal privileges (Provider/Employee role) to compromise any other account on the WordPress instance, including Administrator accounts. This grants the attacker full control over the WordPress site, enabling them to install malicious plugins, modify content, exfiltrate sensitive data, or further compromise the underlying server. The number of potential victims is directly proportional to the number of websites utilizing the vulnerable Amelia plugin. Given the plugin’s popularity, a successful mass exploitation could impact thousands of websites across various sectors.

Recommendation

• Immediately update the Amelia WordPress plugin to the latest version (greater than 2.1.3) to patch CVE-2026-5465.
• Monitor web server logs for POST requests to the /wp-admin/admin-ajax.php endpoint with the action parameter set to am_update_provider and a modified externalId parameter in the request body. Implement the Sigma rule Detect Amelia Plugin IDOR Attack to detect such activity.
• Implement strong password policies and multi-factor authentication for all WordPress accounts, including those with limited privileges, to mitigate the impact of potential account compromises.
• Review and audit existing WordPress user accounts and their assigned roles to identify and remove any unnecessary or excessive privileges.