CVE-2022-0709 Information

Description

The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it’s booking calendar but this token is returned in the json response to unauthenticated users performing a booking leading to a sensitive data disclosure vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://wpscan.com/vulnerability/3cd1d8d2-d2a4-45a9-9b5f-c2a56f08be85

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5