CVE-2026-5465

EIP tracks 1 public exploit for CVE-2026-5465. PoCs published by kaleth4.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-5465, an IDOR vulnerability in the Amelia WordPress plugin allowing authenticated users with the 'Provider' role to escalate privileges to administrator via insecure direct object references. The writeup includes root cause analysis, exploit mechanics, proof-of-concept code, and mitigation steps.

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.