CVE-2024-6660 is a vulnerability classified under CWE-280 (Improper Handling of Insufficient Permissions or Privileges) affecting the BookingPress Appointment Booking Calendar and Online Scheduling Plugin for WordPress, developed by reputeinfosystems. The flaw exists in all versions up to and including 1.1.5 due to a missing capability check in the function bookingpress_import_data_continue_process_func. This function can be invoked by authenticated users with minimal privileges (Subscriber-level or above) to perform unauthorized actions such as updating arbitrary WordPress options and uploading arbitrary files. Exploiting this vulnerability enables attackers to modify the default user role for new registrations to administrator and activate user registration functionality, thereby allowing them to create accounts with administrative privileges. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with an attack vector of network (remote exploitation), low attack complexity, requiring only low privileges and no user interaction. The scope is unchanged but the impact on confidentiality, integrity, and availability is high, as attackers gain full control over the affected WordPress site. Although no public exploits are currently known, the vulnerability presents a significant risk to websites relying on this plugin for appointment booking and scheduling services. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The vulnerability allows attackers with minimal authenticated access to escalate privileges to full administrator rights on affected WordPress sites. This can lead to complete site takeover, including the ability to modify content, steal sensitive data, install backdoors or malware, and disrupt services. Organizations relying on BookingPress plugins for customer-facing appointment scheduling risk reputational damage, data breaches, and operational downtime. Attackers could also leverage compromised sites to launch further attacks against visitors or internal networks. The impact extends to confidentiality (exposure of sensitive user and business data), integrity (unauthorized changes to site content and configurations), and availability (potential site defacement or denial of service). Given the widespread use of WordPress and the popularity of booking plugins in sectors like healthcare, hospitality, and professional services, the threat could affect a broad range of organizations globally.

1. Immediately restrict access to the BookingPress plugin’s administrative and import functions to trusted users only, ideally disabling user registration temporarily. 2. Monitor user roles and registrations for unauthorized changes, especially the default role setting. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting bookingpress_import_data_continue_process_func or related endpoints. 4. Conduct a thorough audit of existing user accounts and remove any suspicious or unauthorized administrator accounts. 5. If a patch becomes available, apply it promptly. Until then, consider disabling or uninstalling the BookingPress plugin if feasible. 6. Harden WordPress security by enforcing least privilege principles, using multi-factor authentication for all admin accounts, and regularly reviewing plugin permissions. 7. Monitor logs for anomalous activity related to file uploads or option changes. 8. Educate site administrators about the risks of granting Subscriber or higher roles to untrusted users.