CVE-2024-13677

CVE-2024-13677 is a privilege escalation vulnerability affecting the GetBookingsWP – Appointments Booking Calendar Plugin for WordPress in all versions up to and including 1.1.27. The issue stems from the plugin failing to properly validate a user's identity before allowing updates to their details, such as email addresses, which is tied to CWE-862 (Missing Authorization). It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability to update the email addresses of arbitrary users, including administrators. By changing an administrator's email, the attacker can then trigger a password reset process using the new email address under their control, resulting in full account takeover and potential privilege escalation to gain administrative control over the WordPress site.

Advisories and further details are available from sources including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b0dc03-3715-41f8-8888-1cccddb39c0b?source=cve and the plugin's source code at https://plugins.trac.wordpress.org/browser/get-bookings-wp/trunk/classes/user.php, which highlight the flawed user update logic in the user.php file.