WordPress Plugin Vulnerabilities
WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR
Description
The plugin does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.
Proof of Concept
Affects Plugins
References
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Sanjorn Keeratirungsan
Submitter
Sanjorn Keeratirungsan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-26 (about 21 days ago)
Added
2026-06-26 (about 20 days ago)
Last Updated
2026-06-26 (about 20 days ago)