All Versions Vulnerable to Arbitrary File Read to Arbitrary File Creation
CVE-2024-6467
8.8HIGH
Summary
The BookingPress β Appointment Booking Calendar Plugin and Online Scheduling Plugin for WordPress presents a significant security flaw due to its Arbitrary File Read and Arbitrary File Creation capabilities. Authenticated attackers with a Subscriber level of access or higher can exploit this vulnerability through the 'bookingpress_save_lite_wizard_settings_func' function. This exploitation enables them to create arbitrary files that could include sensitive server data or execute PHP code. The potential exposure includes critical sensitive information and poses severe risks to the integrity of the WordPress environment.
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published