CVE-2022-4340
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 Jan 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
Unknown · BookingPress