Unauthorized Access to Administrator Accounts Through Plugin's Authentication Bypass
CVE-2024-7350

9.8CRITICAL

Key Information:

Vendor

Wordpress
Status
Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress
Vendor
CVE Published:
8 August 2024

What is CVE-2024-7350?

The Appointment Booking Calendar Plugin and Online Scheduling Plugin developed by BookingPress for WordPress has a vulnerability that allows for authentication bypass in versions 1.1.6 to 1.1.7. This vulnerability arises from inadequate verification of user identity during the login process after a booking is completed. When the 'Auto login user after successful booking' feature is enabled, attackers without proper credentials can exploit this flaw to impersonate any registered user, including administrators, if they have access to the victim's email address.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress 1.1.6 <= 1.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/bookingpress-a...
https://plugins.trac.wordpress.org/changeset/3130266/book...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gibran Abdillah
JSON
.