You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
The Booking for Appointments and Events Calendar – Amelia...
High severity
Unreviewed
Published
Apr 7, 2026
to the GitHub Advisory Database
•
Updated Apr 7, 2026
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider (Employee) user updates their own profile. The externalId maps directly to a WordPress user ID and is passed to wp_set_password() and wp_update_user() without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary externalId value when updating their own provider profile.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Learn more on MITRE.
CVE ID
CVE-2026-5465
GHSA ID
GHSA-3wcx-px3j-79f4
Source code
No known source code
Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the
UpdateProviderCommandHandlerfailing to validate changes to theexternalIdfield when a Provider (Employee) user updates their own profile. TheexternalIdmaps directly to a WordPress user ID and is passed towp_set_password()andwp_update_user()without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitraryexternalIdvalue when updating their own provider profile.References