CVE-2024-7350

Name of the Vulnerable Software and Affected Versions BookingPress plugin for WordPress versions 1.1.6 through 1.1.7

Description The issue is related to authentication bypass due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This allows unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. The exploitation is only possible when the 'Auto login user after successful booking' setting is enabled.

Recommendations For versions 1.1.6 through 1.1.7, consider disabling the 'Auto login user after successful booking' setting to prevent exploitation until a patch is available. As a temporary workaround, restrict access to the booking feature to minimize the risk of unauthorized logins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.