Lucene search

WPScanCVELIST:CVE-2022-4340

HistoryJan 02, 2023 - 9:49 p.m.

CVE-2022-4340 BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id

2023-01-0221:49:16

WPScan

www.cve.org

cve-2022-4340

bookingpress

unauthenticated

idor

wordpress

appointment_id

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

40.5%

JSON

The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it’s thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "BookingPress",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.0.31"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7