PHPJabbers Event Booking Calendar Rate Limiting Vulnerability in Email Features

A denial-of-service vulnerability has been identified in PHPJabbers Event Booking Calendar version 4.0, stemming from a lack of rate limiting in the 'Forgot Password' and 'Email Settings' features. This absence of controls allows attackers to send a high volume of emails on behalf of a legitimate user, potentially overwhelming email servers and disrupting service.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing email servers to be flooded with excessive messages.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Email Settings' section under the System Options Menu. Enter any email address and name, then send the request. The absence of rate limiting can be observed by checking the email inbox for the received messages. For the 'Forgot Password' vulnerability, send multiple password reset requests in quick succession using the same registered email, and observe the influx of reset emails.