Hussien Misbah

**Name of the Vulnerable Software and Affected Versions** BookingPress WordPress plugin versions prior to 1.0.31 **Description** The issue allows any visitor to display information about any booking by manipulating the `appointment id` query parameter in the thank you page, potentially exposing full name, date, time, and service booked. This is due to an Insecure Direct Object Reference (IDOR) vulnerability. **Recommendations** For versions prior to 1.0.31, update to version 1.0.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the thank you page or validating the `appointment id` query parameter to minimize the risk of exploitation.