CVE-2024-13821

Published: Feb 12, 2025Modified: Feb 25, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.

Affected (1)

Products: Wpbookingcalendar: Booking Calendar

Wpbookingcalendar

1 product

Booking Calendar

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpbookingcalendar Booking Calendar	Before 10.10.1

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234469%40booking&new=3234469%40booking&sfp_email=&sfph_mail=#file20

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a0b961e-ccc3-4da0-b007-bbafa133a3a8?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.