CVE-2023-1977

Name of the Vulnerable Software and Affected Versions The Booking Manager WordPress plugin versions prior to 2.0.29

Description The issue concerns a lack of validation for URLs input in the admin panel or in shortcodes for showing events from a remote .ics file. This allows an attacker with privileges as low as Subscriber to perform Server-Side Request Forgery (SSRF) attacks on the site's internal network.

Recommendations For versions prior to 2.0.29, update to version 2.0.29 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel and shortcodes that use remote .ics files until the update is applied.