CVE-2022-4036

MEDIUM

WordPress Appointment Hour Booking <1.3.72 - Auth Bypass

Title source: llm

Description

The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.

References (3)

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail=

[Third Party Advisory] https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036

https://www.wordfence.com/threat-intel/vulnerabilities/id/f62d28bd-fa33-4f0b-a116-5aacc05bfa3a?source=cve

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 26.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-326 CWE-804

Status published

Products (2)

codepeople/Appointment Hour Booking – Booking Calendar < 1.3.72

dwbooster/appointment_hour_booking < 1.3.72

Published Nov 29, 2022

Tracked Since Feb 18, 2026