CVE-2022-4340

EUVD-2022-51693
The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
reputeinfosystemsbookingpress
𝑥
< 1.0.31
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7
https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7