CVE-2024-13746 is a vulnerability identified in the imznarf Booking Calendar and Notification plugin for WordPress, affecting all versions up to and including 4.0.3. The root cause is missing authorization (CWE-862) in three critical functions: wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts(). These functions lack proper capability checks, allowing unauthenticated attackers to remotely invoke them without any privileges or user interaction. As a result, attackers can extract booking data, create or update bookings, or delete arbitrary posts on the affected WordPress sites. The vulnerability is remotely exploitable over the network (AV:N), requires no authentication (PR:N), and no user interaction (UI:N), which increases its risk profile. The impact primarily affects confidentiality and integrity, as attackers can access sensitive booking information and manipulate or delete data, but availability is not significantly impacted. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on January 27, 2025, and published on March 1, 2025, with a CVSS 3.1 base score of 6.5, indicating medium severity.

The vulnerability allows unauthorized attackers to access sensitive booking data, potentially exposing personal or business information, which can lead to privacy violations and reputational damage. Attackers can also create or modify bookings, which could disrupt business operations, cause financial loss, or lead to fraudulent activities. The ability to delete arbitrary posts further risks data integrity and content availability, potentially affecting website functionality and user trust. Organizations relying on this plugin for booking management may face operational disruptions and data breaches if exploited. Since the vulnerability requires no authentication and no user interaction, it can be exploited by automated tools or remote attackers scanning for vulnerable sites, increasing the likelihood of widespread abuse. The absence of known exploits in the wild currently limits immediate impact, but the ease of exploitation and the critical nature of booking data make this a significant risk for affected sites.

1. Immediate mitigation involves disabling or uninstalling the Booking Calendar and Notification plugin until a patch is available. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing this vulnerability. 3. Implement web application firewall (WAF) rules to block or restrict access to the vulnerable plugin’s endpoints, especially the functions wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts(). 4. Restrict access to the WordPress admin area and plugin endpoints by IP whitelisting or VPN access where feasible. 5. Conduct regular audits of booking data and posts to detect unauthorized changes or deletions. 6. Employ intrusion detection systems (IDS) to monitor for suspicious activity targeting the plugin’s functions. 7. Educate site administrators on the risks of using outdated plugins and the importance of timely updates. 8. Consider alternative booking plugins with verified security postures if immediate patching is not possible. These steps go beyond generic advice by focusing on access control, monitoring, and operational adjustments specific to this vulnerability.