CVE-2024-7350 — AI Deep Analysis Summary

🚨 **Essence**: BookingPress (v1.1.6-1.1.7) fails to verify identity **before** login after booking. 📉 **Consequences**: Full system compromise. CVSS 9.8 (Critical).…

🛡️ **CWE-288**: Authentication Bypass. The core flaw is skipping proper identity validation steps. Users bypass security checks simply by completing a booking action first. 🚫 No gatekeeping.

🏢 **Vendor**: reputeinfosystems. 📦 **Product**: BookingPress (Appointment Booking Calendar & Scheduling). 📅 **Affected**: Versions **1.1.6** to **1.1.7**. If you use these, you are exposed.

💻 **Privileges**: Full access. 📂 **Data**: High confidentiality & integrity impact. Hackers can read sensitive user data, alter bookings, and potentially crash the site. It’s not just a peek; it’s a takeover.

⚡ **Threshold**: LOW. 🌐 **Network**: Remote (AV:N). 🔑 **Auth**: None required (PR:N). 🖱️ **UI**: None required (UI:N). Any unauthenticated attacker can exploit this easily. No complex setup needed.

🔍 **Public Exp?**: No specific PoC code listed in data. 📰 **References**: WordFence and WordPress Trac links exist. ⚠️ **Status**: Likely exploitable given the low barrier, but no public script confirmed yet.

🔎 **Check**: Scan for BookingPress plugin. 📊 **Version**: Verify if installed version is 1.1.6 or 1.1.7. 🛠️ **Tool**: Use WordPress security scanners or check plugin directory details.…

✅ **Fixed?**: Yes. 📝 **Patch**: Reference to changeset 3130266 indicates a fix in `class.bookingpress_customers.php`. 🔄 **Action**: Update to the latest version immediately to close the hole.

🚧 **No Patch?**: Disable the plugin temporarily. 🛑 **Block**: Restrict access to booking endpoints via WAF rules. 🧹 **Audit**: Monitor for unauthorized login attempts post-booking. Mitigation is key if you can't update.

🔥 **Urgency**: CRITICAL. 🚨 **Priority**: Patch NOW. CVSS 9.8 means high impact + easy exploit. Do not wait. Update BookingPress to the latest secure version today.