CVE-2022-4340

The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WPScanCNA
---
---
CVEADP
---
---
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
reputeinfosystemsbookingpress
𝑥
< 1.0.31
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7
https://wpscan.com/vulnerability/8a7bd9f6-2789-474b-a237-01c643fdfba7