Bookster < 1.2.0 – Unauthenticated Appointment Status Update | CVE 2024-5071 | Plugin Vulnerabilities

Description

The plugin allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.

Proof of Concept

1. Open the Wordpress where the plugin is installed with default settings.
2. Create an appointment on a service offered. Select the agent and date of appointment. 
3. Provide the user information. Such as name, email, phonenumber, 
Select the payment method and click on submit.
4. Intercept the traffic using burp-suite. Add the parameter "book_status" with value "approved" on "apptInput" json dictionary.
5. Submit the request and observed that the booking status is changed to approved.

Affects Plugins

Fixed in 1.2.0

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Roshan Cheriyan

Submitter

Roshan Cheriyan

Submitter twitter

Verified

Yes

WPVDB ID

07b293cf-5174-45de-8606-a782a96a35b3

Timeline

Publicly Published

2024-06-05 (about 1 year ago)

Added

2024-06-05 (about 1 year ago)

Last Updated

2024-09-25 (about 1 year ago)

Other

Published

Title

Published

2025-07-10

Title

Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read/Write

Published

2022-10-17

Title

WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint

Published

2022-11-21

Title

WPTools < 3.43 - Subscriber+ Arbitrary Plugin Installation

Published

2024-01-12

Title

Spiffy Calendar < 4.9.9 - Broken Access Control

Published

2024-02-05

Title

Prime Slider – Addons For Elementor < 3.11.11 - Incorrect Authorization via bdt_duplicate_as_draft