CVE-2024-6660
HIGHDescription
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Is your site exposed to CVE-2024-6660?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| reputeinfosystems | bookingpress |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2024-6660? +
How severe is CVE-2024-6660? +
What products are affected by CVE-2024-6660? +
How do I check if I'm vulnerable to CVE-2024-6660? +
Related Vulnerabilities
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even …
LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass …
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a …
An Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated …
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended …
Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to …