CVE-2024-13146

CVE-2024-13146 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Booknetic WordPress plugin in versions before 4.1.5. The flaw arises from the absence of CSRF checks during the creation of Staff accounts, enabling unauthorized modifications through forged requests. Published on 2025-03-26 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), it poses a high-severity risk to WordPress sites using the vulnerable plugin.

An attacker can exploit this vulnerability remotely without privileges by crafting a malicious webpage or link that, when visited by a logged-in administrator, triggers a CSRF attack to create arbitrary Staff members. This grants the added accounts potentially elevated permissions within the Booknetic system, leading to high impacts on confidentiality, integrity, and availability. User interaction from the admin is required, but the low complexity and network accessibility make it practical for phishing or social engineering campaigns targeting site owners.

The WPScan advisory at https://wpscan.com/vulnerability/19cb40dd-53b0-46db-beb0-1841e385ce09/ details the issue, with mitigation achieved by updating to Booknetic version 4.1.5 or later, which introduces the necessary CSRF protections. Security practitioners should prioritize patching affected WordPress installations and advise admins to enable general CSRF defenses like token validation.