Home / Vulnerability Intelligence / CVE-2026-5465

CVE-2026-5465 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 7, 2026

Amelia WordPress Plugin - Broken Access Control

Published: April 7, 2026Updated: April 7, 2026PoC AvailableRemote Exploitable

Overview

Amelia WordPress plugin <= 2.1.3 contains an insecure direct object reference caused by lack of authorization checks on the externalId field in UpdateProviderCommandHandler, letting authenticated Provider users take over any WordPress account, exploit requires Provider-level or higher access.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 5.0%(Probability of exploitation in next 30 days)

Impact

Authenticated Provider users can take over any WordPress account, including administrators, leading to full site compromise.

Mitigation

Update to the latest version beyond 2.1.3.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 7, 2026

🟠 CVE-2026-5465 - High (8.8) The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate c... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5465/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/kaleth4/CVE-2026-5465

Related Resources

Details

CVE ID: CVE-2026-5465
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: unconfirmed
EPSS: 5.0%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.0%Probability of exploitation in the next 30 days