How to fix CVE-2024-13677?

Within 7 days: Identify all affected systems running For WordPress plugin for WordPress is vulnerable to privileg and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Get Bookings Wp affected by CVE-2024-13677?

Organizations using GetBookingsWP - Appointments Booking Calendar face significant risk from CVE-2024-13677, a missing authorization vulnerability rated CVSS 8.8. Attackers could bypass security controls to gain unauthorized access to protected resources and sensitive data.

CVE-2024-13677

HIGH

2025-02-18 [email protected]

WordPress Authentication Bypass Privilege Escalation Get Bookings Wp

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

CVE Published

Feb 18, 2025 - 05:15 nvd

HIGH 8.8

DescriptionNVD

The GetBookingsWP - Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

AnalysisAI

The GetBookingsWP - Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. The GetBookingsWP - Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Affected products include: Istmoplugins Get Bookings Wp.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2024-13677 vulnerability details – vuln.today

Back

CVE-2024-13677

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code