WP Booking Calendar < 10.10.1 – Unauthenticated Post-Confirmation Booking Manipulation | CVE 2024-13821 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.

Affects Plugins

Fixed in 10.10.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a0b961e-ccc3-4da0-b007-bbafa133a3a8

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

83c8abdb-f6cd-4cb1-8e50-d4446dd74539

Timeline

Publicly Published

2025-02-11 (about 1 year ago)

Added

2025-02-12 (about 1 year ago)

Last Updated

2025-02-12 (about 1 year ago)

Other

Published

Title

Published

2021-10-27

Title

WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header

Published

2026-01-12

Title

CP Image Store with Slideshow < 1.2.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import

Published

2021-12-28

Title

Shortcode Addons < 3.2.0 - Authenticated Arbitrary Options Update

Published

2026-01-05

Title

Timetics < 1.0.48 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation

Published

2022-11-17

Title

Crowdsignal Dashboard < 3.0.10 - Contributor+ Rating Settings Update