CVE-2024-6660

Name of the Vulnerable Software and Affected Versions The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress versions up to, and including, 1.1.5

Description The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the bookingpress import data continue process func function. This enables authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site and upload arbitrary files, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access.

Recommendations For versions up to, and including, 1.1.5, update to a version that includes a fix for the missing capability check on the bookingpress import data continue process func function to prevent unauthorized data modification and privilege escalation. As a temporary workaround, consider disabling the bookingpress import data continue process func function until a patch is available.