Unauthorized Access and Data Loss in Booking Calendar Plugin by WordPress
CVE-2024-13746

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Booking Calendar And Notification
Vendor: CVE Published:; 1 March 2025

What is CVE-2024-13746?

The Booking Calendar and Notification plugin for WordPress has a vulnerability that allows unauthorized users to access, modify, or delete booking data. Due to insufficient capability checks in several functions, including wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts(), attackers can exploit this flaw to compromise sensitive information and manipulate booking entries without proper authentication. This raises serious security concerns for website operators using this plugin.

Affected Version(s)

Booking Calendar and Notification * <= 4.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/booking-calend...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2025
Vulnerability Reserved
Jan 27, 2025

Credit

Pham Van Tam

Hoang Phuc Vo