CVE-2022-4340

Name of the Vulnerable Software and Affected Versions BookingPress WordPress plugin versions prior to 1.0.31

Description The issue allows any visitor to display information about any booking by manipulating the appointment id query parameter in the thank you page, potentially exposing full name, date, time, and service booked. This is due to an Insecure Direct Object Reference (IDOR) vulnerability.

Recommendations For versions prior to 1.0.31, update to version 1.0.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the thank you page or validating the appointment id query parameter to minimize the risk of exploitation.