CVE-2024-34799 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-34799?

CVE-2024-34799 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the BookingPress WordPress plugin that allows unauthenticated users to manipulate appointment durations. This affects all WordPress sites running BookingPress versions up to 1.0.82, potentially disrupting booking systems and business operations.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the BookingPress WordPress plugin that allows unauthenticated users to manipulate appointment durations. This affects all WordPress sites running BookingPress versions up to 1.0.82, potentially disrupting booking systems and business operations.

💻 Affected Systems

Products:

BookingPress Appointment Booking WordPress Plugin

Versions: n/a through 1.0.82

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with BookingPress plugin enabled, regardless of WordPress version or hosting environment.

📦 What is this software?

Bookingpress by Reputeinfosystems

View all CVEs affecting Bookingpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate appointment durations to cause service disruption, double-book appointments, or create scheduling conflicts that impact business operations and customer satisfaction.

🟠

Likely Case

Unauthenticated users modify appointment durations to create scheduling conflicts, disrupt service availability, or cause minor operational issues.

🟢

If Mitigated

With proper authorization controls, only authenticated administrators could modify appointment settings, preventing unauthorized manipulation.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication, making exploitation trivial.

🏢 Internal Only: LOW - Internal-only WordPress installations would still be vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and appears to be straightforward to exploit based on the description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.83 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/bookingpress-appointment-booking/wordpress-bookingpress-plugin-1-0-82-appointment-duration-manipulation-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BookingPress and click 'Update Now'. 4. Verify update to version 1.0.83 or higher.

🔧 Temporary Workarounds

Disable BookingPress Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate bookingpress-appointment-booking

Restrict Access via WAF

all

Block requests to BookingPress endpoints for unauthenticated users

🧯 If You Can't Patch

Implement web application firewall rules to block unauthenticated requests to BookingPress endpoints
Disable the BookingPress plugin and use alternative booking solutions temporarily

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > BookingPress version. If version is 1.0.82 or lower, you are vulnerable.

Check Version:

wp plugin get bookingpress-appointment-booking --field=version

Verify Fix Applied:

After updating, verify BookingPress version shows 1.0.83 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to BookingPress endpoints from unauthenticated IPs
Multiple failed appointment duration modification attempts

Network Indicators:

HTTP requests to /wp-content/plugins/bookingpress-appointment-booking/ endpoints without authentication

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-content/plugins/bookingpress-appointment-booking/" OR plugin="bookingpress") AND http_method=POST AND NOT user_authenticated=true

📊 Metadata

CVE ID: CVE-2024-34799

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-862

Published: June 11, 2024

Last Updated: March 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34799, you might also want to check these: