Impact
The vulnerability allows an unauthenticated attacker to forge requests that the Booked plugin will process, which can lead to unintentional changes in booking records. Because the plugin accepts the request without verifying the caller’s identity, an attacker could potentially alter or expose booking data that a legitimate user has created.
Affected Systems
ThemeREX Booked plugin up to and including version 3.0.0 are affected. No higher version information is provided.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trick a victim’s browser into sending a forged request—such as through a malicious link or form—using the victim’s authenticated session to perform the action.
OpenCVE Enrichment