CVE-2024-13746 Information

Mar 02, 2025 cve

Description

The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access modification and loss of data due to missing capability checks on the wpcb_all_bookings() wpcb_update_booking_post() and wpcb_delete_posts() functions in all versions up to and including 4.0.3. This makes it possible for unauthenticated attackers to extract data create or update bookings or delete arbitrary posts.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/tags/4.0.3/lib/includes/function.php https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L134 https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L188 https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L270 https://www.wordfence.com/threat-intel/vulnerabilities/id/422bb9a5-c848-4492-add7-bc65b1111565?source=cve

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5

Share on: