Unauthorized Data Access Vulnerability in WP BASE Booking Plugin for WordPress
CVE-2024-12558

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Base Booking Of Appointments, Services And Events
Vendor: CVE Published:; 21 December 2024

Summary

The WP BASE Booking of Appointments, Services and Events plugin for WordPress, specifically in versions up to and including 4.9.2, has been identified with a critical vulnerability that permits unauthorized access to sensitive data. This vulnerability arises from a missing capability check on the 'export_db' function, allowing authenticated attackers with Subscriber-level access or higher to potentially expose critical information stored in the database, including the hashed administrator password. This risk underscores the importance of securing WordPress plugins and ensuring that all software is updated to the latest version to mitigate security risks.

Affected Version(s)

WP BASE Booking of Appointments, Services and Events * <= 4.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-base-bookin...

https://plugins.trac.wordpress.org/changeset/3210164/wp-b...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 21, 2024
Vulnerability Reserved
Dec 11, 2024

Credit

Thanh Nam Tran