Cross-Site Request Forgery Vulnerability in BA Book Everything Plugin

CVE-2024-8795

8.8HIGH

Key Information

Vendor: Bookingalgorithms
Status: Ba Book Everything
Vendor: CVE Published:; 24 September 2024

Summary

The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.

Affected Version(s)

BA Book Everything <= 1.6.20

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 24, 2024
Disclosed
Sep 23, 2024
Vulnerability Reserved.
Sep 13, 2024

Collectors

NVD DatabaseMitre Database

Credit

wesley