CVE-2024-13677 is a vulnerability classified under CWE-862 (Missing Authorization) found in the GetBookingsWP – Appointments Booking Calendar Plugin for WordPress, affecting all versions up to 1.1.27. The vulnerability stems from the plugin's failure to properly validate a user's identity before allowing updates to sensitive user details such as email addresses. Authenticated attackers with subscriber-level privileges or higher can exploit this flaw to modify the email addresses of arbitrary users, including administrators. By changing an administrator's email, the attacker can trigger password reset mechanisms to gain full control over the administrator account, effectively escalating their privileges. The vulnerability does not require user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N). The CVSS score of 8.8 reflects a high severity due to the potential for complete compromise of affected WordPress sites. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability's nature suggests it could be leveraged for significant account takeover attacks if weaponized. The flaw impacts confidentiality, integrity, and availability since attackers can fully control administrative accounts, modify site content, and disrupt services.

The impact of CVE-2024-13677 is significant for organizations using the GetBookingsWP plugin on WordPress sites. Successful exploitation allows attackers to escalate privileges from low-level subscriber accounts to full administrator control, leading to complete site takeover. This compromises confidentiality by exposing sensitive user and site data, integrity by enabling unauthorized content and configuration changes, and availability by potentially disrupting site operations or deploying malicious payloads. Organizations relying on this plugin for appointment booking risk service disruption, reputational damage, and data breaches. The vulnerability also facilitates lateral movement within compromised environments if WordPress admin accounts are reused or linked to other systems. Given WordPress's widespread use globally, the vulnerability poses a broad threat to small businesses, healthcare providers, educational institutions, and other sectors using this plugin for scheduling and customer management.

To mitigate CVE-2024-13677, organizations should immediately upgrade the GetBookingsWP plugin to a version that addresses this authorization flaw once available. In the absence of an official patch, administrators should restrict plugin usage to trusted users only and consider disabling or uninstalling the plugin temporarily. Implement strict role-based access controls to limit subscriber-level accounts and monitor for unusual email change requests or password resets. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting user detail updates. Regularly audit user accounts for unauthorized changes and enforce multi-factor authentication (MFA) on all administrator accounts to reduce the risk of account takeover. Additionally, review and harden WordPress security configurations, including limiting password reset capabilities and ensuring secure email delivery mechanisms. Finally, maintain comprehensive backups to enable rapid recovery in case of compromise.