CVE-2026-2931
Published: 26 March 2026
Summary
CVE-2026-2931 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing IDOR exploitation by ensuring customer-level users cannot bypass checks to modify unauthorized user accounts like administrator passwords.
Implements least privilege to restrict customer-level permissions from including capabilities like password changes on higher-privilege accounts, limiting the scope of IDOR impact.
Validates user-supplied inputs such as object references in plugin commands, ensuring referenced customer or user IDs are legitimate and authorized for the requesting user.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing WordPress plugin enables remote authenticated priv-esc via unauthorized password changes (T1068 Exploitation for Privilege Escalation + T1098 Account Manipulation); exploitation occurs against exposed web app (T1190).
NVD Description
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources.…
more
This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
Deeper analysisAI
CVE-2026-2931 is an Insecure Direct Object References vulnerability (CWE-269) in the Amelia Booking plugin for WordPress, affecting versions up to and including 9.1.2. The flaw stems from the pro plugin—which shares the same slug—providing user-controlled access to objects, enabling attackers to bypass authorization checks and access system resources.
Authenticated attackers possessing customer-level permissions or higher can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows them to change user passwords and potentially take over administrator accounts, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) due to high impacts on confidentiality, integrity, and availability.
References include the plugin's CodeCanyon listing at https://codecanyon.net/item/amelia-enterpriselevel-appointment-booking-wordpress-plugin/22067497, WordPress plugin trac source code at https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Commands/User/Customer/UpdateCustomerCommandHandler.php#L173 and https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1/src/Application/Controller/User/Customer/UpdateCustomerController.php#L30 pinpointing the issue, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/9dbaafbb-ab7b-41d8-a8f7-178b9d42b4c5?source=cve.
Details
- CWE(s)