CVE-2024-7350

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7350
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php#L339
https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c367565-75f7-4dd7-a2f1-111df581bd7a?source=cve
Configurations

No configuration.

History

08 Aug 2024, 13:04

Type Values Removed Values Added
Summary
  • (es) El complemento Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress para WordPress es vulnerable a la omisión de autenticación en las versiones 1.1.6 a 1.1.7. Esto se debe a que el complemento no verifica adecuadamente la identidad del usuario antes de iniciar sesión al completar una reserva. Esto hace posible que atacantes no autenticados inicien sesión como usuarios registrados, incluidos administradores, si tienen acceso al correo electrónico de ese usuario. Esto solo se puede explotar cuando la configuración "Inicio de sesión automático de usuario después de una reserva exitosa" está habilitada.

08 Aug 2024, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-08 03:15

Updated : 2024-08-08 13:04

NVD link : CVE-2024-7350

Mitre link : CVE-2024-7350

CVE.ORG link : CVE-2024-7350

JSON object : View

Products Affected

No product.

CWE
CWE-288

Authentication Bypass Using an Alternate Path or Channel