A successful attack gives an external attacker full administrative control of your WordPress website — including the ability to steal customer booking data, install malware, redirect visitors to malicious sites, or take the site offline entirely. For organizations using Amelia in customer-facing booking workflows (healthcare, hospitality, professional services), a compromise may expose customer personal data and trigger breach notification obligations under applicable privacy regulations. CISA's active-exploitation designation means this is not theoretical: sites running unpatched versions of this plugin are being targeted now.
You Are Affected If
You run the Amelia Booking Plugin for WordPress (free or pro, plugin slug 'ameliabooking') version 9.1.2 or earlier
Your WordPress site allows public user registration or has existing customer-role accounts
The WordPress site is internet-facing without a WAF rule blocking manipulation of Amelia AJAX endpoints
You have not upgraded the Amelia plugin to version 9.1.3 or later
Your WordPress administrator accounts do not use unique, high-entropy passwords or have no anomalous-login alerting in place
Board Talking Points
A widely used WordPress booking plugin has a confirmed, actively exploited flaw that lets any registered site user take over the website's administrator account.
Any WordPress site running the Amelia plugin through version 9.1.2 should be patched within 24 hours — the fix is a single plugin update.
Organizations that do not patch are at immediate risk of full website compromise, customer data theft, and potential regulatory breach notification requirements.
GDPR / regional privacy law — Amelia Booking collects customer personal data (names, email addresses, appointment details); admin account takeover exposes this data and may trigger breach notification obligations
HIPAA — if the booking plugin is used for healthcare appointment scheduling and patient information is stored or accessible via the WordPress instance, a full admin compromise constitutes a reportable breach
