CVE-2023-1129

EUVD-2023-23412
The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
wp_fevents_book_projectwp_fevents_book
𝑥
≤ 0.46
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/d40479de-fb04-41b8-9fb0-41b9eefbd8af
https://wpscan.com/vulnerability/d40479de-fb04-41b8-9fb0-41b9eefbd8af