Booknetic
Monthly
Account takeover in Booknetic WordPress appointment booking plugin versions 4.8.5 and earlier allows remote unauthenticated attackers to bypass authentication controls and gain access to arbitrary user accounts. The Patchstack advisory characterizes this as a broken authentication weakness (CWE-288) with high impact across confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and exploitation requires high attack complexity per the CVSS vector.
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Account takeover in Booknetic WordPress appointment booking plugin versions 4.8.5 and earlier allows remote unauthenticated attackers to bypass authentication controls and gain access to arbitrary user accounts. The Patchstack advisory characterizes this as a broken authentication weakness (CWE-288) with high impact across confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and exploitation requires high attack complexity per the CVSS vector.
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.