We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Amelia Booking Plugin Vulnerability (CVE-2026-2931)

Nick Paliughi
On this page

Security Alert Summary

The Amelia Booking plugin for WordPress contains an insecure direct object reference (IDOR) vulnerability that can allow authenticated users with customer-level permissions or higher to bypass authorization and access or modify other users’ account data. According to the vulnerability report, exploited functionality can include changing user passwords and potentially taking over administrator accounts.

CVE Details

  • CVE ID: CVE-2026-2931
  • Affected plugin or component: Amelia Booking plugin for WordPress (pro plugin has the same slug)
  • Affected versions: Versions up to and including 9.1.2
  • Published: March 26, 2026 05:16:39 AM UTC
  • Last modified: March 26, 2026 05:16:39 AM UTC
  • CVSS v3.1: Base Score 8.8, Severity HIGH, Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Authentication / Privileges / User interaction: Attack Vector: NETWORK; Attack Complexity: LOW; Privileges Required: LOW (authenticated customer-level or above); User Interaction: NONE; Scope: UNCHANGED
  • Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
  • CWE / Weakness: CWE-269 (Improper Privilege Management)

Technical Details

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Amelia Booking plugin. The plugin exposes access to internal objects that can be controlled by a user, allowing an authenticated user with customer-level permissions or higher to bypass intended authorization checks and interact with system resources for other users.

The provided references point to the plugin code handling customer updates, including UpdateCustomerController.php and UpdateCustomerCommandHandler.php. The issue is described as insufficient or missing authorization checks around object access in those components, enabling attackers to change other users’ account details, including passwords.

Impact is limited to what the vulnerability permits: attackers with the required authenticated access can modify user data and credentials. The CVSS vector indicates network exploitation with low complexity and no user interaction required, which means an attacker who is already authenticated with low privileges could perform these actions without additional user involvement.

How This Could Impact Your Website

In a typical small- to medium-sized WordPress site using Amelia Booking, a scenario could involve a site owner, an internal staff member who manages bookings, and an external contractor or contributor with customer-level access. If a contractor or staff member has a customer-level account and the site is running an affected version, that authenticated user could potentially modify other users’ account details, including resetting passwords.

Practical consequences include exposure of internal user credentials, loss of control over administrator accounts, and increased risk of targeted phishing or social engineering against staff whose email addresses or account details are accessible. Any account takeover can lead to unauthorized changes to site content, data access, or further attacks.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor and customer-level accounts that have access to management interfaces.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, such as unexpected password changes or account updates.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Salon Booking System Pro Vulnerability (CVE-2026-25334)
Next Post
WordPress Security Bulletin: ShortPixel Image Optimizer Plugin Vulnerability (CVE-2026-4335)