Amelia < 2.2 – Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter | CVE 2026-5465 | Plugin Vulnerabilities

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.

Affects Plugins

Fixed in 2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

Verified

No

WPVDB ID

2da626cb-baaf-4a64-9a44-62a858eab90b

Timeline

Publicly Published

2026-04-06 (about 1 month ago)

Added

2026-04-06 (about 1 month ago)

Last Updated

2026-04-07 (about 1 month ago)

Other

Published

Title

Published

2020-12-28

Title

WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR

Published

2025-02-11

Title

Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin < 1.0.6 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2022-10-28

Title

Comments - wpDiscuz 7.4.2 - Subscriber+ IDOR

Published

2025-11-07

Title

Groups < 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference