CVE-2024-8795

Name of the Vulnerable Software and Affected Versions: BA Book Everything plugin for WordPress versions up to, and including, 1.6.20

Description: The issue is due to missing or incorrect nonce validation on the my account update() function, making it possible for unauthenticated attackers to update a user's account details via a forged request. This can be leveraged to reset a user's password and gain access to their account, provided the attacker can trick a site administrator into performing an action such as clicking on a link.

Recommendations: For versions up to, and including, 1.6.20, update to a version that includes the fix for the missing or incorrect nonce validation on the my account update() function. As a temporary workaround, consider restricting access to the my account update() function until a patch is available.