CVE-2024-13677

Name of the Vulnerable Software and Affected Versions GetBookingsWP – Appointments Booking Calendar Plugin For WordPress versions up to 1.1.27

Description The issue arises from the plugin's failure to properly validate a user's identity before updating their details, such as email addresses. This allows authenticated attackers with subscriber-level access or higher to change arbitrary users' email addresses, including those of administrators. The attackers can then leverage this capability to reset the user's password and gain access to their account.

Recommendations For versions up to 1.1.27, update the plugin to a version higher than 1.1.27 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's user management features to minimize the risk of exploitation. Additionally, monitor user account activity for any suspicious changes to email addresses or password resets.