CVE-2026-5465

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146
https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219
https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239
https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30
https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve

Configurations

No configuration.

History

07 Apr 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 07:16

Updated : 2026-04-27 19:04

NVD link : CVE-2026-5465

Mitre link : CVE-2026-5465

CVE.ORG link : CVE-2026-5465

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-5465", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T07:16:24.050", "references": [{"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account \u2014 including Administrator \u2014 by injecting an arbitrary `externalId` value when updating their own provider profile."}], "lastModified": "2026-04-27T19:04:22.650", "sourceIdentifier": "security@wordfence.com"}