What is the severity of CVE-2024-13746?

CVE-2024-13746 is considered a critical vulnerability due to the risk of unauthorized access and data loss.

How do I fix CVE-2024-13746?

To remediate CVE-2024-13746, update the Booking Calendar and Notification plugin to the latest version that includes the necessary capability checks.

Which versions of the Booking Calendar and Notification plugin are affected by CVE-2024-13746?

All versions of the Booking Calendar and Notification plugin up to and including version 4.0.3 are affected by CVE-2024-13746.

What types of attacks can exploit CVE-2024-13746?

CVE-2024-13746 can be exploited to gain unauthorized access, modify posts, and potentially lead to data loss.

Vulnerability/
CVE-2024-13746

medium

6.5

CWE

862

1/3/2025

3/3/2025

CVE-2024-13746: Booking Calendar and Notification <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions

Q: What functionalities are vulnerable in CVE-2024-13746?

The functions wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() are vulnerable in CVE-2024-13746.

First published: Sat Mar 01 2025(Updated: )

The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
Booking Calendar	<=4.0.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-13746?
CVE-2024-13746 is considered a critical vulnerability due to the risk of unauthorized access and data loss.
How do I fix CVE-2024-13746?
To remediate CVE-2024-13746, update the Booking Calendar and Notification plugin to the latest version that includes the necessary capability checks.
Which versions of the Booking Calendar and Notification plugin are affected by CVE-2024-13746?
All versions of the Booking Calendar and Notification plugin up to and including version 4.0.3 are affected by CVE-2024-13746.
What functionalities are vulnerable in CVE-2024-13746?
The functions wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() are vulnerable in CVE-2024-13746.
What types of attacks can exploit CVE-2024-13746?
CVE-2024-13746 can be exploited to gain unauthorized access, modify posts, and potentially lead to data loss.

collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/description
agent/type
agent/title
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/author
agent/last-modified-date
agent/source
agent/tags
agent/severity
agent/event
vendor/booking calendar
canonical/booking calendar

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.