CVE-2024-8432

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_appearance() function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the booking form's CSS.
Configurations

Configuration 1 (hide)

cpe:2.3:a:webba-booking:webba_booking:*:*:*:*:*:wordpress:*:*

History

27 Sep 2024, 12:58

Type Values Removed Values Added
CPE cpe:2.3:a:webba-booking:webba_booking:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/webba-booking-lite/tags/5.0.48/includes/class-wbk-request-manager.php#L1986 - () https://plugins.trac.wordpress.org/browser/webba-booking-lite/tags/5.0.48/includes/class-wbk-request-manager.php#L1986 - Product
References () https://plugins.trac.wordpress.org/changeset/3152926/webba-booking-lite/trunk/includes/class-wbk-request-manager.php - () https://plugins.trac.wordpress.org/changeset/3152926/webba-booking-lite/trunk/includes/class-wbk-request-manager.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/23b33b77-2e72-4959-bdce-646e968f2a73?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/23b33b77-2e72-4959-bdce-646e968f2a73?source=cve - Third Party Advisory
First Time Webba-booking webba Booking
Webba-booking

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) El complemento Appointment & Event Booking Calendar Plugin – Webba Booking para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función save_appearance() en todas las versiones hasta la 5.0.48 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, modifiquen el CSS del formulario de reservas.

24 Sep 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-24 02:15

Updated : 2024-09-27 12:58


NVD link : CVE-2024-8432

Mitre link : CVE-2024-8432

CVE.ORG link : CVE-2024-8432


JSON object : View

Products Affected

webba-booking

  • webba_booking
CWE
CWE-862

Missing Authorization