WordPress Plugin Vulnerabilities

WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

Description

The plugin does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders.

Proof of Concept

Affects Plugins

References

Classification

Type
IDOR
CWE

Miscellaneous

Original Researcher
Sanjorn Keeratirungsan
Submitter
Sanjorn Keeratirungsan
Verified
Yes

Timeline

Publicly Published
2026-06-26 (about 21 days ago)
Added
2026-06-26 (about 20 days ago)
Last Updated
2026-06-26 (about 20 days ago)

Other