Authentication Bypass Vulnerability in BookIt Plugin for WordPress
CVE-2023-2834

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Booking Calendar | Appointment Booking | Bookit
Vendor: CVE Published:; 30 June 2023

What is CVE-2023-2834?

The BookIt plugin for WordPress contains a security flaw that allows unauthenticated attackers to bypass authentication checks. This vulnerability arises from inadequate verification of user identities during the appointment booking process. An attacker with access to an existing user's email could exploit this weakness to log in as that user, including administrators, potentially compromising the site's security. It affects all versions up to and including 2.3.7, making it critical for users to update to the latest version to mitigate the risk.

Affected Version(s)

Booking Calendar | Appointment Booking | BookIt * <= 2.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bookit/tags/2....

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2023
Vulnerability Reserved
May 22, 2023

Credit

Lana Codes

Wordpress

What is CVE-2023-2834?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit