CVE-2024-13442
Published: 19 March 2025
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Security Summary
CVE-2024-13442 is a privilege escalation vulnerability via account takeover affecting the Service Finder Bookings plugin for WordPress in all versions up to and including 5.0. The issue stems from the plugin's failure to properly validate a user's identity before performing post-booking auto-login actions or updating profile details, such as passwords. This flaw, mapped to CWE-288 and assigned a CVSS 3.1 base score of 9.8 (Critical), enables severe authentication bypass.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. If an attacker's email address is known, they can log in as that arbitrary user; alternatively, they can update any user's password, including administrators, to gain unauthorized access to their accounts. Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories, including the Wordfence threat intelligence report, provide additional details on the vulnerability. The plugin is available via the ThemeForest marketplace at the referenced URL. No specific patch information is detailed in the available CVE data.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated exploitation for account takeover and password updates, directly mapping to T1190 (public-facing app exploit), T1078 (valid accounts access), and T1098 (account manipulation via password changes).