Vulnerability in BookingPress Allows Authenticated Attackers to escalate Privileges
CVE-2024-6660

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Bookingpress
Vendor: CVE Published:; 17 July 2024

What is CVE-2024-6660?

The BookingPress – Appointment Booking Calendar Plugin for WordPress contains a vulnerability that allows unauthorized data modification. This arises from a missing capability check in the bookingpress_import_data_continue_process_func function, present in all versions up to and including version 1.1.5. Authenticated attackers with Subscriber-level access can exploit this flaw to modify arbitrary options on the WordPress site and upload files. This can potentially enable the attacker to change the default registration role to administrator, allowing them broad administrative access to vulnerable sites.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bookingpress-a...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2024

Wordpress

What is CVE-2024-6660?

References

CVSS V3.1

Timeline