WordPress Plugin Vulnerabilities

Amelia < 1.2.17 - Unauthenticated Insecure Direct Object Reference

Description

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.16 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
ameliabooking
Fixed in 1.2.17

References

CVE
CVE-2025-26965
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cd8c464-1402-4301-ac66-4e6fc0328de2

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
6a7c27e1-b20e-4a3b-a51b-ba0a2024febf

Timeline

Publicly Published
2025-02-23 (about 1 year ago)
Added
2025-03-03 (about 1 year ago)
Last Updated
2025-03-03 (about 1 year ago)

Other

Published
Title
Published
2024-05-14
Title
BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment
Published
2023-11-03
Title
Youzify < 1.2.3 - Insecure Direct Object Reference
Published
2024-12-02
Title
Client Invoicing by Sprout Invoices < 20.8.1 - Insecure Direct Object Reference
Published
2025-12-20
Title
WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference
Published
2025-10-21
Title
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out