Vulnerability Description
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trun
- https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-bo
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c367565-75f7-4dd7-a2f
FAQ
What is CVE-2024-7350?
CVE-2024-7350 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin no...
How severe is CVE-2024-7350?
CVE-2024-7350 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-7350?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.