Booking Plugin for WordPress Appointments Time Slot Unauthenticated Email Sending Vulnerability

A vulnerability exists in the Booking Plugin for WordPress Appointments - Time Slot, in versions through 1.4.7. The issue arises from inadequate validation on the 'tslot_appt_email' AJAX action, allowing unauthenticated users to send appointment notification emails to any recipient. The emails can contain user-defined text in specific fields, which could be exploited for phishing or spam purposes.

Impact

Exploitation of this vulnerability allows for unauthorized email sending, which could be used for phishing attacks or to distribute spam.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'tslot_appt_email' AJAX action without authentication. The request must include appointment details such as the recipient's email, name, phone number, and other relevant information. This can be done using a tool like Postman or through a custom script that interacts with the WordPress site.

Remediation

Users are advised to update the Booking Plugin for WordPress Appointments - Time Slot to version 1.4.8 or later.