Vulnerability in BookingPress Allows Authenticated Attackers to escalate Privileges
CVE-2024-6660

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Bookingpress
Vendor
CVE Published:
17 July 2024

Summary

The BookingPress – Appointment Booking Calendar Plugin for WordPress contains a vulnerability that allows unauthorized data modification. This arises from a missing capability check in the bookingpress_import_data_continue_process_func function, present in all versions up to and including version 1.1.5. Authenticated attackers with Subscriber-level access can exploit this flaw to modify arbitrary options on the WordPress site and upload files. This can potentially enable the attacker to change the default registration role to administrator, allowing them broad administrative access to vulnerable sites.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/bookingpress-a...
https://plugins.trac.wordpress.org/browser/bookingpress-a...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.