CVE-2024-6175

MEDIUM

Booking Ultra Pro Appointments Booking Calendar Plugin <1.1.13 - In...

Title source: llm
STIX 2.1

Description

The Booking Ultra Pro Appointments Booking Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the multiple functions called via AJAX like save_fields_settings, bup_delete_user_avatar, bup_crop_avatar_user_profile_image, and more in all versions up to, and including, 1.1.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete. multiple plugin options and data such as payments, pricing, booking information, business hours, calendars, profile information, and email templates.

Scores

CVSS v3 5.4
EPSS 0.0030
EPSS Percentile 21.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
deetronix/Booking Ultra Pro Appointments Booking Calendar Plugin < 1.1.13
Published Jul 18, 2024
Tracked Since Feb 18, 2026