CVE-2024-24715
📋 TL;DR
This vulnerability in The Events Calendar BookIt WordPress plugin allows attackers to manipulate hidden form fields to bypass price validation. It affects all WordPress sites running BookIt plugin versions up to 2.4.0, potentially allowing unauthorized booking modifications.
💻 Affected Systems
- WordPress BookIt Plugin (The Events Calendar BookIt)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could book premium services for free, manipulate booking quantities beyond limits, or cause financial loss to the business.
Likely Case
Price manipulation allowing free or discounted bookings of paid services.
If Mitigated
Minimal impact with proper input validation and server-side price verification.
🎯 Exploit Status
Exploitation requires user interaction with booking forms but is technically simple.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.1 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/bookit/wordpress-wordpress-bookit-plugin-plugin-2-4-0-price-bypass-vulnerability-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BookIt' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.4.1+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable BookIt Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate bookit
Implement Server-Side Price Validation
allAdd custom server-side validation to verify prices independently of client input.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block hidden field manipulation
- Disable booking functionality or restrict to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for BookIt version ≤2.4.0.Check Version:
wp plugin get bookit --field=versionVerify Fix Applied:
Confirm BookIt plugin version is 2.4.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual booking price discrepancies
- Multiple bookings with manipulated price fields
Network Indicators:
- POST requests to booking endpoints with modified hidden field values
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "bookit") AND http_method="POST" AND (form_data CONTAINS "price" OR form_data CONTAINS "hidden")🔗 References
- https://patchstack.com/database/vulnerability/bookit/wordpress-wordpress-bookit-plugin-plugin-2-4-0-price-bypass-vulnerability-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/bookit/wordpress-wordpress-bookit-plugin-plugin-2-4-0-price-bypass-vulnerability-vulnerability?_s_id=cve
