CVE-2024-2749

Name of the Vulnerable Software and Affected Versions VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.6.8

Description The access control mechanism in the VikBooking Hotel Booking Engine & PMS WordPress plugin fails to properly restrict access to its settings. This allows any users who can access a menu to manipulate requests and perform unauthorized actions, such as editing, renaming, or deleting categories, despite initial settings prohibiting such access. This issue resembles broken access control, enabling unauthorized users to modify critical configurations.

Recommendations For versions prior to 1.6.8, update to version 1.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings menu to minimize the risk of exploitation.