CVE-2026-24963
Incorrect Privilege Assignment in AmeliaBooking Allows Privilege Escalation
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amelia | ameliabooking | to 1.2.38 (inc) |
| amelia | ameliabooking | 2.0 |
| ameliabooking | ameliabooking | to 1.2.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Amelia Plugin to version 2.0 or later, which contains the patch for this vulnerability.
Additionally, applying Patchstackβs mitigation rules can help block exploitation attempts targeting this vulnerability until the update is applied.
Patchstack users can also enable auto-updates specifically for vulnerable plugins to ensure ongoing protection.
Can you explain this vulnerability to me?
CVE-2026-24963 is a medium priority privilege escalation vulnerability in the WordPress Amelia Plugin versions up to 1.2.38.
This vulnerability allows a malicious actor who has a low privileged account, specifically at the Amelia Employee Developer level, to escalate their privileges.
By exploiting this flaw, the attacker can potentially gain full control over the website if they obtain high-level privileges.
The issue is classified under OWASP Top 10 A7: Identification and Authentication Failures.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with limited access to escalate their privileges and gain full control over your WordPress website running the Amelia Plugin.
This means the attacker could perform unauthorized actions, modify or delete data, and potentially compromise the entire site.
The CVSS score of 7.2 indicates a moderate level of danger and a reasonable likelihood of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect this vulnerability on your network or system.