CVE-2026-40789: WordPress Amelia plugin <= 2.2 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated sensitive data exposure vulnerability affects the Amelia WordPress plugin at version 2.2 and earlier. The flaw is reachable over the network and requires no credentials, meaning any remote actor with HTTP access to a site running the plugin can trigger it. Successful exploitation gives the attacker read access to sensitive data handled by the plugin, such as booking records, customer details, or other stored information. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-40789 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Amelia plugin. Any image carrying Amelia at version 2.2 or earlier is flagged immediately on scan.
AvailableTriage is available using the CVSS v3.1 base score of 7.5 (HIGH), with per-environment compliance policy weighting applied to surface the finding to the appropriate team inbox inside each customer organization. Where policies flag unauthenticated data-exposure issues at HIGH severity for expedited review, this CVE is routed accordingly.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream fix lands. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network; no local or physical access is needed.
- AuthenticationNot required
No account or session token is needed; the vulnerable endpoint is accessible to anonymous HTTP requests.
- Victim interactionNot required
The attacker does not need a site user or administrator to take any action to trigger the exposure.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors must be met.
Blast Radius
- A successful attacker reads sensitive data stored by the Amelia plugin, which typically includes customer names, email addresses, phone numbers, and appointment records.
- No write or delete capability is indicated; integrity and availability of stored data are not directly affected by this vulnerability.
- Exposed booking data may be leveraged for phishing, credential stuffing, or targeted social engineering against end users of the affected site.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40789 is active against all scanned images that bundle Amelia at version 2.2 or earlier, including custom WordPress images. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory and the TMS release feed on every ingest cycle. When a patched version is published, a rebuilt image becomes available immediately, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict public access to the specific REST or AJAX endpoints exposed by the Amelia plugin, egress filtering to limit what data those endpoints can surface externally, and temporarily disabling the plugin on public-facing environments if operational impact permits.
- TMS / Amelia≤ 2.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N