CVE-2024-6175

The Booking Ultra Pro Appointments Booking Calendar Plugin for WordPress, up to version 1.1.13, is vulnerable to unauthorized modification of data due to missing capability checks on several AJAX functions. These functions include save_fields_settings, bup_delete_user_avatar, bup_crop_avatar_user_profile_image, and others. The root cause is that the plugin does not verify that the user making the AJAX request has the necessary administrative privileges before processing the action [1].

Attackers can exploit this vulnerability by authenticating with a Subscriber-level account or higher and sending crafted AJAX requests to any of the unprotected endpoints. No additional privileges or special network position is required, as the faulty functions are accessible directly through WordPress's admin-ajax interface. The attack surface is broad, covering multiple areas of the plugin's functionality [1].

The impact is significant: an authenticated attacker can modify and delete a wide range of plugin data and options. This includes payments, pricing information, booking records, business hours, calendar entries, user profile data, and email templates. Such unauthorized changes could disrupt business operations, lead to financial fraud, or cause loss of customer trust [1].

As of the publication date (2024-07-18), no patch has been released by the vendor. Users are advised to update the plugin as soon as a fixed version becomes available or to restrict access to the affected functions via other security measures, such as a Web Application Firewall (WAF) rule or capability mapping [1]. The vulnerability has not been reported as listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.