WordPress Plugin Vulnerabilities

Booking Calendar | Appointment Booking | BookIt < 2.1.6 - Authorised AJAX Calls

Description

The plugin does not properly check for CSRF in some of its AJAX actions, allowing them to be bypassed. Attackers could make logged in users call them and perform unwanted actions

Affects Plugins

Plugin icon
bookit
Fixed in 2.1.6

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
2ccb8b8c-87b7-4977-81c6-cc319a0d6e04

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2021-12-27
Title
WP Extra File Types < 0.5.1 - CSRF to Stored Cross-Site Scripting
Published
2025-01-24
Title
FluentSMTP < 2.2.81 - Cross-Site Request Forgery
Published
2023-07-04
Title
Menubar < 5.9 - Cross-Site Request Forgery
Published
2023-12-27
Title
Inline Image Upload for BBPress < 1.1.19 - Cross-Site Request Forgery via hm_bbpui_admin_page
Published
2019-07-11
Title
Pricing Table < 2.3 - Cross-Site Request Forgery