The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 08 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople appointment Booking Calendar
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:codepeople:appointment_booking_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Codepeople
Codepeople appointment Booking Calendar

Mon, 13 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jan 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
Title BookingPress < 1.1.23 - Unauthenticated Export File Download
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2025-08-27T12:00:25.696Z

Reserved: 2024-12-05T18:29:09.587Z

Link: CVE-2024-12274

cve-icon Vulnrichment

Updated: 2025-01-13T14:55:50.620Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-13T06:15:10.000

Modified: 2025-05-08T19:37:55.040

Link: CVE-2024-12274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.