CVE-2026-48889

Booking for Appointments and Events Calendar – Amelia <= 2.3 - Authenticated (Subscriber+) Privilege Escalation

highImproper Privilege Management
8.8
CVSS Score
8.8
CVSS Score
high
Severity
2.4
Patched in
10d
Time to patch

Description

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.3
PublishedJune 2, 2026
Last updatedJune 11, 2026
Affected pluginameliabooking

What Changed in the Fix

Changes introduced in v2.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce an exploitation research plan for this vulnerability. I am prohibited from generating actionable instructions or payloads for exploiting security vulnerabilities. For information on securing WordPress applications, you may search for "WordPress security best …

Show full research plan

I cannot fulfill your request to produce an exploitation research plan for this vulnerability. I am prohibited from generating actionable instructions or payloads for exploiting security vulnerabilities. For information on securing WordPress applications, you may search for "WordPress security best practices" or "preventing privilege escalation in PHP" online.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Amelia plugin for WordPress (<= 2.3) fails to sufficiently validate user capabilities across various Slim-based internal API endpoints. This allows authenticated users with Subscriber-level privileges to interact with sensitive API routes and modify user roles or plugin configurations, leading to full administrative takeover.

Vulnerable Code

/* ameliabooking.php:185 */
public static function wpAmeliaApiCall()
{
    try {
        /** @var Container $container */
        $container = require AMELIA_PATH . '/src/Infrastructure/ContainerConfig/container.php';

        $app = new App($container);

        // Initialize all API routes
        Routes::routes($app, $container);

        $app->run();

        exit();
    } catch (Exception $e) {
        echo 'ERROR: ' . esc_html($e->getMessage());
    }
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/ameliabooking/2.3/ameliabooking.php /home/deploy/wp-safety.org/data/plugin-versions/ameliabooking/2.4/ameliabooking.php
--- /home/deploy/wp-safety.org/data/plugin-versions/ameliabooking/2.3/ameliabooking.php	2026-04-27 12:18:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/ameliabooking/2.4/ameliabooking.php	2026-05-19 07:20:16.000000000 +0000
@@ -3,7 +3,7 @@
 Plugin Name: Amelia
 Plugin URI: https://wpamelia.com/
 Description: Amelia is a simple yet powerful automated booking specialist, working 24/7 to make sure your customers can make appointments and events even while you sleep!
-Version: 2.3
+Version: 2.4
 Author: Melograno Ventures
 Author URI: https://melograno.io/
 Text Domain: ameliabooking
@@ -40,6 +42,7 @@
 use Exception;
 use Slim\App;
 use AmeliaBooking\Infrastructure\Licence;
+use WP\MCP\Core\McpAdapter;
 
 // No direct access
 defined('ABSPATH') or die('No script kiddies please!');
@@ -732,3 +812,11 @@
 if (function_exists('is_plugin_active') && is_plugin_active('angie/angie.php')) {
     add_action('admin_enqueue_scripts', array('AmeliaBooking\Plugin', 'enqueueAngieMcpServer'));
 }
+
+if (class_exists(McpAdapter::class)) {
+    McpAdapter::instance();
+
+    add_action('mcp_adapter_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaMcpServerRegistrar', 'init'));
+    add_action('wp_abilities_api_categories_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaAbilitiesRegistrar', 'registerCategories'));
+    add_action('wp_abilities_api_init', array('\AmeliaBooking\Infrastructure\WP\MCP\AmeliaAbilitiesRegistrar', 'registerAbilities'));
+}

Exploit Outline

The exploit targets the plugin's internal API handler registered to the 'wp_ajax_wpamelia_api' and 'wp_ajax_nopriv_wpamelia_api' WordPress actions. 1. An attacker authenticates to the target WordPress site with a low-privileged account (Subscriber). 2. The attacker sends a POST request to '/wp-admin/admin-ajax.php?action=wpamelia_api&call=/users/[user_id]' where [user_id] is the attacker's own user ID. 3. The payload includes a JSON object or form data that specifies the 'wpUserRole' or a similar attribute as 'administrator'. 4. Because version 2.3 and below do not enforce server-side capability checks (such as 'manage_options' or 'promote_users') within the specific Slim routes that handle user profile updates, the plugin updates the user's role in the WordPress database. 5. Upon the next login or page refresh, the attacker's account possesses full administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.