PatchSiren cyber security CVE debrief
CVE-2026-48889 TMS CVE debrief
A high-severity vulnerability, CVE-2026-48889, was discovered in the Amelia plugin, affecting versions up to 2.3. This vulnerability allows for subscriber privilege escalation, posing a significant risk to WordPress sites using the affected plugin versions.
- Vendor
- TMS
- Product
- Amelia
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and security teams of WordPress sites using the Amelia plugin, especially those with subscriber roles, should be aware of this vulnerability.
Technical summary
The vulnerability, with a CVSS score of 8.8, is categorized under CWE-266. It allows attackers with low privileges to escalate their privileges, potentially leading to unauthorized access and control over the affected sites.
Defensive priority
High
Recommended defensive actions
- Update the Amelia plugin to a version beyond 2.3 to mitigate the vulnerability.
- Review and restrict subscriber privileges on WordPress sites using the Amelia plugin.
- Monitor for any suspicious activity related to privilege escalation on affected sites.
Evidence notes
Evidence from Patchstack indicates a vulnerability in the Amelia plugin, version 2.3 or earlier, allowing for subscriber privilege escalation.
Official resources
-
CVE-2026-48889 CVE record
CVE.org
-
CVE-2026-48889 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-48889 was published on 2026-06-15T21:17:18.087Z and modified on 2026-06-15T21:24:32.790Z.