CVE-2023-23895 - WP Time Slots Booking Form <= 1.1.82 Broken Access Control
Details
Detail about software affected by CVE-2023-23895.
| Parameter | Description |
|---|---|
| Software | WP Time Slots Booking Form |
| Type | WordPress Plugin |
| Developer | CodePeople |
| Plugin URL | https://wordpress.org/plugins/wp-time-slots-booking-form/ |
| Vulnerable Version | <= 1.1.82 |
| Classification | Broken Access Control |
| Required privilege | Editor |
| Publicly disclosed | 20.01.2023 |
Researcher
This vulnerability was discovered by @yuyudhn.
Description
yuyudhn discovered and reported this Broken Access Control vulnerability in WordPress WP Time Slots Booking Form Plugin. This vulnerability has been fixed in version 1.1.83.
This plugin allow user with Editor role to view, approve, or reject booking order for Administrator calendar (which by design is not allowed).
Proof of Concept
Not published yet.
References
- CVE-2023-23895 - Patchstack
- https://www.cve.org/CVERecord?id=CVE-2023-23895