CVE-2024-13821

WP Booking Calendar <= 10.10 - Unauthenticated Post-Confirmation Booking Manipulation

CVSS 5.3 MEDIUMEPSS 0.4%CWE-285

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 feb 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Productos afectados

wpdevelop · Booking Calendar

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234469%40booking&new=3234469%40booking&sfp_email=&sfph_mail=#file20 https://www.wordfence.com/threat-intel/vulnerabilities/id/8a0b961e-ccc3-4da0-b007-bbafa133a3a8?source=cve