Vulnerability in BookingPress Allows Authenticated Attackers to escalate Privileges
CVE-2024-6660
8.8HIGH
What is CVE-2024-6660?
The BookingPress – Appointment Booking Calendar Plugin for WordPress contains a vulnerability that allows unauthorized data modification. This arises from a missing capability check in the bookingpress_import_data_continue_process_func function, present in all versions up to and including version 1.1.5. Authenticated attackers with Subscriber-level access can exploit this flaw to modify arbitrary options on the WordPress site and upload files. This can potentially enable the attacker to change the default registration role to administrator, allowing them broad administrative access to vulnerable sites.