CVE-2026-2931 is a high-severity IDOR vulnerability (CVSS 8.8) in the Amelia Booking Plugin for WordPress that allows any authenticated user with customer-level access to take over WordPress administrator accounts by manipulating object references in API requests. CISA KEV listed with confirmed active exploitation.