WordPress Plugin Vulnerabilities

Booking Package < 1.6.29 - Unauthenticated Price Manipulation

Description

The Booking Package plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 1.6.27. This is due to insufficient validation on the pricing data being passed to the server. This makes it possible for unauthenticated attackers to modify the price of bookings.

Affects Plugins

Plugin icon
booking-package
Fixed in 1.6.29

References

CVE
CVE-2024-30516
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b611abb-460c-44d4-9f77-052a208f8d85

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
3baccd11-153e-4223-adc6-0f1aa774edb2

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2024-07-01
Title
LearnPress – WordPress LMS Plugin < 4.2.6.8.2 - Unauthenticated Bypass to User Registration
Published
2022-02-23
Title
WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion
Published
2024-05-22
Title
EmbedPress < 3.9.13 - Contributor+ PDF Block Embedding
Published
2025-03-03
Title
Wallet System for WooCommerce < 2.6.3 - Missing Authorization
Published
2026-01-09
Title
Blog2Social: Social Media Auto Post & Scheduler < 8.7.3 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure