cleantalk
Vulnerabilities and Security Researches

GetBookingsWP – Appointments Booking Calendar Plugin For WordPress, CVE-2024-13677

CVE, Research URL

CVE-2024-13677

Home page URL

Security reports for GetBookingsWP – Appointments Booking Calendar Plugin For WordPress

Application

GetBookingsWP – Appointments Booking Calendar Plugin For WordPress

Published on
Feb 18, 2025
Research Description
The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected versions
Min -, max 1.1.27.
Status
vulnerable
Previous vulnerability researches
GetBookingsWP – Appointments Booking Calendar Plugin For WordPress (CVE-2025-31896) , Apr 05, 2025
GetBookingsWP – Appointments Booking Calendar Plugin For WordPress (CVE-2024-13677) , Feb 19, 2025
New vulnerability
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2025-3100) , Apr 09, 2025
3DPrint Lite (CVE-2025-3428) , Apr 09, 2025
3DPrint Lite (CVE-2025-3429) , Apr 09, 2025
3DPrint Lite (CVE-2025-3427) , Apr 09, 2025
3DPrint Lite (CVE-2025-3430) , Apr 09, 2025