CVE-2026-5465
Published: 07 April 2026
Summary
CVE-2026-5465 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations before allowing Provider users to update externalId fields that map to arbitrary WordPress user IDs, directly preventing IDOR-based account takeovers.
Applies least privilege to restrict Provider-level users from modifying higher-privilege accounts via wp_set_password() and wp_update_user(), mitigating unauthorized privilege escalation.
Manages account modifications to ensure only authorized personnel can alter user credentials or details, countering the lack of checks in UpdateProviderCommandHandler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability in the profile update handler allows an authenticated low-privileged user to supply arbitrary externalId values, directly invoking wp_set_password() and wp_update_user() on any account (including admins). This enables unauthorized account manipulation (T1098) and exploitation of the software vulnerability for privilege escalation via account takeover (T1068).
NVD Description
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId`…
more
field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Deeper analysisAI
CVE-2026-5465 is an Insecure Direct Object Reference vulnerability (CWE-639) in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress, affecting all versions up to and including 2.1.3. The flaw occurs in the UpdateProviderCommandHandler component, which does not validate modifications to the externalId field when a Provider (Employee) user updates their own profile. This externalId directly corresponds to a WordPress user ID and is passed without authorization checks to WordPress core functions wp_set_password() and wp_update_user(), published on 2026-04-07.
An authenticated attacker with Provider-level (Employee) access or higher can exploit this vulnerability over the network by supplying an arbitrary externalId value during their own provider profile update. This allows them to overwrite credentials or other details for any WordPress user account, including Administrator accounts, effectively achieving full account takeover. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects its high impact on confidentiality, integrity, and availability with low attack complexity and privileges.
References to the plugin's source code in the WordPress trac repository pinpoint the vulnerable code locations, including lines 146, 219, and 239 in src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php, and line 30 in src/Application/Controller/User/Provider/UpdateProviderController.php for version 2.1.3. A patch addressing the issue appears in changeset 3499608 applied to the trunk version of UpdateProviderCommandHandler.php.
Details
- CWE(s)