SecuriTricks - CVE-2024-13746

Description

The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.

Product(s) Impacted

Product	Versions
WordPress Booking Calendar and Notification plugin	up to 4.0.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/tags/4.0.3/lib/includes/function.php

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L134

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L188

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L270

https://www.wordfence.com/threat-intel/vulnerabilities/id/422bb9a5-c848-4492-add7-bc65b1111565?source=cve

CVSS Score

6.5 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Date

Published: March 1, 2025, 5:15 a.m.
Last Modified: March 1, 2025, 5:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2024-13746