CVE-2024-6467

Published: Jul 17, 2024Modified: Apr 8, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the 'bookingpress_save_lite_wizard_settings_func' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files (either on the local server or from a remote location), allowing the execution of any PHP code in those files or the exposure of sensitive information.

Affected (1)

Products: Reputeinfosystems: Bookingpress

Reputeinfosystems

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Reputeinfosystems Bookingpress	Before 1.1.6

Related CWEs

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (4)

https://plugins.trac.wordpress.org/changeset/3116857/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress.php

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/d0177510-cd7d-4cc5-96c3-78433aa0e3f6?source=cve

Source: security@wordfence.com

Third Party Advisory

https://plugins.trac.wordpress.org/changeset/3116857/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress.php

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/d0177510-cd7d-4cc5-96c3-78433aa0e3f6?source=cve

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.