CVE-2026-24963
Published: 05 March 2026
Summary
CVE-2026-24963 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-24963 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Amelia WordPress plugin, also referred to as ameliabooking. This flaw allows for privilege escalation and affects all versions from n/a through 1.2.38.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited over the network with low complexity by an attacker who already possesses high privileges, such as an authenticated high-privilege user, without requiring user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability through escalated privileges within the affected WordPress installation.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-privilege-escalation-vulnerability?_s_id=cve details this privilege escalation issue in the Amelia plugin version 1.2.38 and provides information on mitigation for WordPress environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9602
Vulnerability details
Incorrect Privilege Assignment vulnerability in ameliabooking Amelia ameliabooking allows Privilege Escalation.This issue affects Amelia: from n/a through <= 1.2.38.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes incorrect privilege assignment leading to privilege escalation in a WordPress plugin; directly matches T1068 (Exploitation for Privilege Escalation) as the vulnerability is exploited by an authenticated high-privilege user to gain elevated access and high-impact control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the CWE-266 incorrect privilege assignment by ensuring the Amelia plugin and WordPress roles receive only the minimum permissions required, blocking the escalation path for authenticated high-privilege users.
Enforces the intended access-control policy at runtime so that the flawed privilege checks in Amelia <=1.2.38 cannot be bypassed to grant unauthorized high-impact capabilities.
Requires explicit management and periodic review of accounts and assigned privileges, limiting the window in which an over-privileged account could exploit the Amelia flaw.