CVE-2024-6467

Name of the Vulnerable Software and Affected Versions The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin versions up to, and including, 1.1.5

Description The issue allows authenticated attackers with Subscriber-level access and above to create arbitrary files containing the content of files on the server. This can lead to the execution of any PHP code in those files or the exposure of sensitive information. The bookingpress save lite wizard settings func function is used to exploit this issue.

Recommendations For versions up to, and including, 1.1.5, consider disabling the bookingpress save lite wizard settings func function as a temporary workaround until a patch is available. Restrict access to sensitive files on the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.