CVE-2024-13821

Name of the Vulnerable Software and Affected Versions WP Booking Calendar plugin for WordPress versions up to, and including, 10.10

Description The issue allows unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved, due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted.

Recommendations For versions up to, and including, 10.10, update to a version later than 10.10 to resolve the issue. As a temporary workaround, consider implementing additional verification steps after a booking has been made and a change is being attempted to prevent manipulation of confirmed bookings. Restrict access to booking modification features to minimize the risk of exploitation until a patch is available.