WordPress Plugin Vulnerabilities

WP Booking System < 2.0.19.3 - Missing Authorization

Description

The WP Booking System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpbs_save_calendar_data function in versions up to, and including, 2.0.19.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to save calendar data.

Affects Plugins

Plugin icon
wp-booking-system
Fixed in 2.0.19.3

References

CVE
CVE-2023-49758
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/805c46ec-0b8a-4a40-bfc9-5d2d8d43a17b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
95bfbb0e-0b69-4ac3-9ca6-61fb10edfea6

Timeline

Publicly Published
2023-12-04 (about 5 months ago)
Added
2023-12-09 (about 5 months ago)
Last Updated
2024-01-22 (about 3 months ago)

Other

Published
Title
Published
2024-02-29
Title
Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update
Published
2023-02-24
Title
Apollo13 Framework Extensions < 1.9.0 - Missing Authorization
Published
2023-12-27
Title
Simple Staff List < 2.2.5 - Missing Authorization via ajax_flush_rewrite_rules and staff_member_export
Published
2024-03-05
Title
Total < 2.1.60 - Missing Authorization to Authenticated (Subscriber+) Sections Update
Published
2022-12-05
Title
Health Check & Troubleshooting < 1.2.4 - Missing Authorization Checks