WordPress Plugin Vulnerabilities

Easy Appointments < 3.11.19 - Insufficient Authorization

Description

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.

Affects Plugins

Plugin icon
easy-appointments
Fixed in 3.11.19

References

CVE
CVE-2024-2844
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
4a769478-0eee-4b45-b63e-97c8815531dc

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-03-28 (about 2 years ago)
Last Updated
2024-03-28 (about 2 years ago)

Other

Published
Title
Published
2024-12-11
Title
Projectopia < 5.1.8 - Missing Authorization to Privilege Escalation via pto_reset_password()
Published
2022-08-15
Title
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls
Published
2023-12-07
Title
Custom Login < 4.1.1 - Subscriber+ Unauthorised Action
Published
2025-03-18
Title
LifterLMS < 8.0.2 - Missing Authorization to Unauthenticated Post Trashing
Published
2025-01-24
Title
Print Barcode Labels for your WooCommerce products/orders < 3.4.11 - Missing Authorization