CVE-2024-11641
Published: 26 January 2025
Description
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible.
Security Summary
CVE-2024-11641 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the VikBooking Hotel Booking Engine & PMS plugin for WordPress in all versions up to and including 1.7.2. The issue stems from missing or incorrect nonce validation on the 'save' function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Published on 2025-01-26, it enables unauthorized modifications to plugin settings without proper authentication checks.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which submits a forged request to alter plugin access privileges. Once elevated, attackers with subscriber-level privileges or higher can upload arbitrary files to the affected site's server, potentially leading to remote code execution.
Advisories from Wordfence detail the vulnerability and its impacts, while the WordPress plugin trac shows changeset 3225861, which addresses the issue by adding proper nonce validation in the affected 'save' function, recommending immediate updates to patched versions beyond 1.7.2.
Details
- CWE(s)