CVE-2024-13437 – This Cross-Site Request Forgery vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-13437?

CVE-2024-13437 has a CVSS score of 4.3 (MEDIUM). This Cross-Site Request Forgery vulnerability in the Book a Room WordPress plugin allows attackers to change plugin settings without authentication by tricking administrators into clicking malicious links. All WordPress sites using Book a Room plugin versions 2.9 and earlier are affected. The vulnerability stems from missing security tokens (nonces) on the settings page.

📋 TL;DR

This Cross-Site Request Forgery vulnerability in the Book a Room WordPress plugin allows attackers to change plugin settings without authentication by tricking administrators into clicking malicious links. All WordPress sites using Book a Room plugin versions 2.9 and earlier are affected. The vulnerability stems from missing security tokens (nonces) on the settings page.

💻 Affected Systems

Products:

Book a Room WordPress Plugin

Versions: All versions up to and including 2.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Book a Room plugin active. All default configurations are vulnerable.

📦 What is this software?

Book A Room by Heightslibrary

View all CVEs affecting Book A Room →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify booking settings, disable functionality, or redirect users to malicious sites by changing plugin configuration.

🟠

Likely Case

Attackers change booking settings to disrupt operations, modify email notifications, or alter booking parameters.

🟢

If Mitigated

With proper CSRF protections and admin awareness, impact is minimal as it requires admin interaction.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick authenticated admin into clicking malicious link. No authentication needed for the CSRF attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10 or later

Vendor Advisory: https://wordpress.org/plugins/book-a-room/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Book a Room plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Book a Room plugin until patched

wp plugin deactivate book-a-room

🧯 If You Can't Patch

Implement Content Security Policy with strict directives
Use browser extensions that block CSRF attempts and educate administrators about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Book a Room version. If version is 2.9 or lower, system is vulnerable.

Check Version:

wp plugin get book-a-room --field=version

Verify Fix Applied:

Verify Book a Room plugin version is 2.10 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin.php?page=bookaroom_Settings from unusual sources
Unexpected changes to plugin settings

Network Indicators:

HTTP POST requests to plugin settings endpoint without proper referrer headers

SIEM Query:

source="wordpress.log" AND "bookaroom_Settings" AND method="POST"

📊 Metadata

CVE ID: CVE-2024-13437

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

EPSS Score: 0.04% exploit probability (11.3th percentile)

Published: February 12, 2025

Last Updated: February 25, 2025

🔗 References

https://wordpress.org/plugins/book-a-room/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfef57b6-26b1-433b-9037-46f908422f72?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13437, you might also want to check these: