WordPress Plugin Vulnerabilities

Booking calendar, Appointment Booking System < 3.2.4 - Form Creation/Update/Deletion/Duplication via CSRF

Description

The plugin does not have CSRF checks on some of its form actions such as creation/update/deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks

Affects Plugins

Plugin icon
booking-calendar
Fixed in 3.2.4

References

CVE
CVE-2023-24388

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
24cacea4-fda9-498c-b346-9dd02b0827a1

Timeline

Publicly Published
2023-01-27 (about 3 years ago)
Added
2023-02-17 (about 3 years ago)
Last Updated
2023-02-17 (about 3 years ago)

Other

Published
Title
Published
2024-02-27
Title
Yuki < 1.3.15 - Cross-Site Request Forgery to Theme Setting Reset
Published
2025-09-03
Title
Tickera < 3.5.5.8 - Cross-Site Request Forgery
Published
2025-12-08
Title
Flashy Marketing Automation < 2.0.9 - Cross-Site Request Forgery
Published
2020-09-16
Title
NotificationX < 1.8.3 - Cross-Site Request Forgery
Published
2023-09-29
Title
Shockingly Simple Favicon <= 1.8.2 - Settings Update via CSRF