CVE-2022-45824

The Advanced Booking Calendar plugin for WordPress, versions 1.7.1 and earlier, is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows a malicious actor to craft requests that, when executed by a higher-privileged user (such as an administrator), perform unintended actions under that user's current authentication session. The issue is rooted in a lack of proper CSRF token validation on certain plugin functions [1].

Exploitation requires user interaction: a privileged user must be tricked into clicking a malicious link, visiting a crafted page, or submitting a specially crafted form while authenticated to the target WordPress site. The attacker does not need to be authenticated, but the victim must have the necessary privileges for the actions being forged. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

The impact is moderate (CVSS 5.4). A successful CSRF attack could allow an attacker to force an administrator or other privileged user to change settings, create new users, or perform other administrative tasks without the user's knowledge, potentially leading to full site compromise. The attacker does not directly gain access but can abuse the victim's session to achieve their goals [1].

As of the publication date, the vendor has not released a patch for version 1.7.1; users are advised to update the plugin to the latest available version. Immediate action is recommended, and if updating is not possible, contacting the hosting provider or a developer is suggested. This vulnerability is known in Patchstack's database and may be targeted in automated campaigns [1].