CVE-2024-13677
📋 TL;DR
This vulnerability allows authenticated attackers with subscriber-level access or higher to change arbitrary users' email addresses in the GetBookingsWP WordPress plugin. Attackers can then trigger password resets to take over accounts, including administrator accounts. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- GetBookingsWP – Appointments Booking Calendar Plugin For WordPress
📦 What is this software?
Get Bookings Wp by Istmoplugins
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise where attackers gain administrator access, install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Account takeover of high-privilege users leading to data theft, content manipulation, or lateral movement within the WordPress environment.
If Mitigated
Limited impact if strong access controls, monitoring, and least privilege principles are already implemented.
🎯 Exploit Status
Requires authenticated access but only at subscriber level, which is commonly available. The attack chain involves two steps: email change followed by password reset.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.1.28 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/get-bookings-wp/trunk/classes/user.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GetBookingsWP plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.1.28+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the GetBookingsWP plugin until patched
wp plugin deactivate get-bookings-wp
Restrict user registration
allDisable new user registrations or require administrator approval
🧯 If You Can't Patch
- Implement strong password policies and multi-factor authentication for all users
- Monitor user account changes and failed login attempts closely
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.1.27 or lower, you are vulnerable.Check Version:
wp plugin get get-bookings-wp --field=versionVerify Fix Applied:
Confirm plugin version is 1.1.28 or higher. Test that authenticated users cannot change other users' email addresses.📡 Detection & Monitoring
Log Indicators:
- Unusual email change events in user profiles
- Multiple password reset requests for privileged accounts
- User privilege escalation events
Network Indicators:
- HTTP POST requests to user profile update endpoints from unexpected sources
SIEM Query:
source="wordpress" AND (event="profile_update" OR event="password_reset") AND user_role="subscriber"