CVE-2024-7350
📋 TL;DR
The BookingPress WordPress plugin versions 1.1.6 to 1.1.7 contain an authentication bypass vulnerability that allows unauthenticated attackers to log in as any registered user, including administrators, if they know the user's email address. This occurs when the 'Auto login user after successful booking' setting is enabled. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- BookingPress Appointment Booking Calendar Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, enabling complete site takeover, data theft, malware installation, and defacement.
Likely Case
Attackers compromise user accounts to access sensitive booking data, escalate privileges, or perform unauthorized actions.
If Mitigated
With the setting disabled, the vulnerability cannot be exploited, though the underlying code flaw remains.
🎯 Exploit Status
Exploitation requires only the target user's email address and the vulnerable setting enabled. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.8
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BookingPress plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.8+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Auto-Login Setting
allTurn off the vulnerable 'Auto login user after successful booking' feature in plugin settings.
🧯 If You Can't Patch
- Disable the BookingPress plugin entirely until patched.
- Implement web application firewall rules to block suspicious authentication attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for BookingPress version. If version is 1.1.6 or 1.1.7, check plugin settings for 'Auto login user after successful booking' enabled status.Check Version:
wp plugin list --name=bookingpress --field=versionVerify Fix Applied:
Confirm BookingPress plugin version is 1.1.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication events from unknown IPs
- Multiple failed login attempts followed by successful login with same email
- User role changes in WordPress logs
Network Indicators:
- HTTP POST requests to bookingpress authentication endpoints from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("bookingpress" OR "auto login") AND ("success" OR "authenticated")🔗 References
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php#L339
- https://plugins.trac.wordpress.org/changeset/3130266/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_customers.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c367565-75f7-4dd7-a2f1-111df581bd7a?source=cve
