WordPress Plugin Vulnerabilities

Webba Booking < 5.0 - Cross-Site Request Forgery

Description

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.33. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown.

Affects Plugins

Plugin icon
webba-booking-lite
Fixed in 5.0

References

CVE
CVE-2023-51354
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/12a195a0-f992-462d-9b4e-69e8a2975635

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Skalucy
Verified
No
WPVDB ID
75e7c8bd-eb1e-4de9-8fbe-3963a3834bdc

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-04-09
Title
Vite Coupon < 1.0.10 - Remote Code Execution via CSRF
Published
2025-12-30
Title
Movies Bulk Importer <= 1.0 - Cross-Site Request Forgery
Published
2025-07-22
Title
Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint
Published
2025-09-26
Title
AR For WordPress <= 8.34 - Cross-Site Request Forgery
Published
2024-03-28
Title
News Wall <= 1.1.0 - Cross-Site Request Forgery to Plugin Settings Update