CVE-2024-13746

Name of the Vulnerable Software and Affected Versions Booking Calendar and Notification plugin for WordPress versions prior to 4.0.4

Description The issue allows unauthorized access, modification, and loss of data due to missing capability checks on the wpcb all bookings(), wpcb update booking post(), and wpcb delete posts() functions. This enables unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.

Recommendations For versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the wpcb all bookings(), wpcb update booking post(), and wpcb delete posts() functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation.