Unauthorized Access and Data Loss in Booking Calendar Plugin by WordPress
CVE-2024-13746
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 March 2025
What is CVE-2024-13746?
The Booking Calendar and Notification plugin for WordPress has a vulnerability that allows unauthorized users to access, modify, or delete booking data. Due to insufficient capability checks in several functions, including wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts(), attackers can exploit this flaw to compromise sensitive information and manipulate booking entries without proper authentication. This raises serious security concerns for website operators using this plugin.
Affected Version(s)
Booking Calendar and Notification * <= 4.0.3