CVE-2024-8794
📋 TL;DR
The BA Book Everything WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to reset any user's password without verification. This affects all WordPress sites using plugin versions up to 1.6.20. While attackers cannot access the generated passwords, they can disrupt site operations by locking legitimate users out.
💻 Affected Systems
- BA Book Everything WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator accounts get locked out, causing complete site management disruption and potential business impact if administrators cannot access critical functions.
Likely Case
Regular users experience account lockouts and service disruption, requiring manual password resets and generating support tickets.
If Mitigated
With proper monitoring and incident response, impact is limited to temporary user inconvenience and minor administrative overhead.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests targeting the password reset function without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.21 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3152728/ba-book-everything/trunk/includes/class-babe-users.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BA Book Everything' and check if update is available. 4. Click 'Update Now' to upgrade to version 1.6.21 or later. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate ba-book-everything
Restrict Access
allUse web application firewall to block requests to vulnerable endpoints
🧯 If You Can't Patch
- Implement rate limiting on password reset endpoints to prevent mass exploitation
- Enable detailed logging of password reset attempts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for BA Book Everything version. If version is 1.6.20 or lower, you are vulnerable.Check Version:
wp plugin get ba-book-everything --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.6.21 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of password reset requests
- Password reset attempts from unexpected IP addresses
- User complaints about being locked out
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=reset_user_password
- Multiple password reset attempts without preceding login attempts
SIEM Query:
source="wordpress.log" AND ("reset_user_password" OR "password reset" OR "babe_users") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-my-account.php#L610
- https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-users.php#L266
- https://plugins.trac.wordpress.org/changeset/3152728/ba-book-everything/trunk/includes/class-babe-users.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4e261b0e-5ca3-4f5c-acc0-41abee31b148?source=cve
