CVE-2024-13746

The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/tags/4.0.3/lib/includes/function.php
https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L134
https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L188
https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L270
https://www.wordfence.com/threat-intel/vulnerabilities/id/422bb9a5-c848-4492-add7-bc65b1111565?source=cve

Configurations

No configuration.

History

01 Mar 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-01 05:15

Updated : 2025-03-01 05:15

NVD link : CVE-2024-13746

Mitre link : CVE-2024-13746

CVE.ORG link : CVE-2024-13746

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

6.5 /10