GetBookingsWP Appointments Booking Calendar Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability allowing account takeover has been identified in the GetBookingsWP Appointments Booking Calendar Plugin for WordPress, affecting all versions through 1.1.27. The vulnerability arises because the plugin fails to properly verify a user's identity before allowing changes to account details such as email addresses. This flaw enables authenticated attackers with subscriber-level access or higher to alter the email addresses of any user, including administrators. Once the email is changed, the attacker can reset the user's password and gain access to their account.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including those of administrators, by changing the email address associated with the account and resetting the password.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to update the email address of another user. The request can be made through the WordPress admin interface or via an AJAX call, bypassing the necessary authorization checks. Once the email address is changed, the attacker can use the password reset functionality to gain access to the user's account.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.