WP Booking System < 2.0.19.11 – Missing Authorization via wpbs_refresh_calendar_editor | CVE 2024-50425 | Plugin Vulnerabilities

Description

The WP Booking System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpbs_refresh_calendar_editor function in versions up to, and including, 2.0.19.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify calendars.

Affects Plugins

wp-booking-system

Fixed in 2.0.19.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a05986-46e2-49eb-b196-d5c36b03a394

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

b228586a-fc63-4c61-8175-73223459de08

Timeline

Publicly Published

2024-10-24 (about 1 year ago)

Added

2024-10-30 (about 1 year ago)

Last Updated

2024-10-30 (about 1 year ago)

Other

Published

Title

Published

2025-04-04

Title

Contact Form, Drag and Drop Form Builder Plugin <= 4.8.5 - Missing Authorization

Published

2025-08-21

Title

Voting Contest <= 5.8 - Missing Authorization

Published

2025-06-05

Title

診断ジェネレータ作成プラグイン <= 1.4.16 - Missing Authorization

Published

2025-04-01

Title

Publitio < 2.1.9 - Missing Authorization

Published

2024-12-24

Title

WooCommerce Point of Sale < 6.2.0 - Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change