Unauthorized Access to Administrator Accounts Through Plugin's Authentication Bypass
CVE-2024-7350

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress
Vendor: CVE Published:; 8 August 2024

Summary

The Appointment Booking Calendar Plugin and Online Scheduling Plugin developed by BookingPress for WordPress has a vulnerability that allows for authentication bypass in versions 1.1.6 to 1.1.7. This vulnerability arises from inadequate verification of user identity during the login process after a booking is completed. When the 'Auto login user after successful booking' feature is enabled, attackers without proper credentials can exploit this flaw to impersonate any registered user, including administrators, if they have access to the victim's email address.

Affected Version(s)

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress 1.1.6 <= 1.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bookingpress-a...

https://plugins.trac.wordpress.org/changeset/3130266/book...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 8, 2024
Vulnerability Reserved
Jul 31, 2024

Credit

Gibran Abdillah