Unauthorized Access and Data Loss in Booking Calendar Plugin by WordPress
CVE-2024-13746

6.5MEDIUM

Key Information:

Vendor
Imznarf
Status
Booking Calendar And Notification
Vendor
CVE Published:
1 March 2025

Summary

The Booking Calendar and Notification plugin for WordPress has a vulnerability that allows unauthorized users to access, modify, or delete booking data. Due to insufficient capability checks in several functions, including wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts(), attackers can exploit this flaw to compromise sensitive information and manipulate booking entries without proper authentication. This raises serious security concerns for website operators using this plugin.

Affected Version(s)

Booking Calendar and Notification * <= 4.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/booking-calend...
https://plugins.trac.wordpress.org/browser/booking-calend...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pham Van Tam
Hoang Phuc Vo
.