Medium severity6.5NVD Advisory· Published Mar 1, 2025· Updated Apr 15, 2026
CVE-2024-13746
CVE-2024-13746
Description
The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.
Affected products
1- Range: <=4.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/booking-calendar-and-notification/tags/4.0.3/lib/includes/function.phpnvd
- plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.phpnvd
- plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.phpnvd
- plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/422bb9a5-c848-4492-add7-bc65b1111565nvd
News mentions
0No linked articles in our index yet.