CVE-2024-7350

CRITICAL

BookingPress 1.1.6-1.1.7 - Unauthenticated Authentication Bypass via Auto-Login

Title source: llm

Description

The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php#L339

Product

https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4c367565-75f7-4dd7-a2f1-111df581bd7a?source=cve

Scores

CVSS v3 9.8

EPSS 0.0066

EPSS Percentile 46.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (1)

reputeinfosystems/Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress 1.1.6 - 1.1.7

Published Aug 08, 2024

Tracked Since Feb 18, 2026