CVE-2024-7350 is an authentication bypass vulnerability classified under CWE-288, found in the Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress for WordPress, specifically versions 1.1.6 and 1.1.7. The vulnerability stems from improper verification of user identity when the plugin automatically logs in users after they complete a booking. If the 'Auto login user after successful booking' feature is enabled, an attacker who knows a registered user's email address can bypass authentication controls and gain access to that user's account without providing credentials. This includes the ability to log in as administrators, which could lead to full site compromise. The vulnerability is remotely exploitable over the network without any privileges or user interaction, making it highly dangerous. The CVSS 3.1 base score of 9.8 reflects the critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the ease of exploitation and the potential damage make this a significant threat to WordPress sites using the affected plugin versions with the vulnerable setting enabled.

The impact of CVE-2024-7350 is severe for organizations using the affected BookingPress plugin versions with the 'Auto login user after successful booking' feature enabled. Attackers can gain unauthorized access to any registered user account by knowing their email, including administrator accounts. This can lead to complete site takeover, data theft, unauthorized changes, defacement, or deployment of malicious content. The compromise of administrator accounts can also facilitate further attacks on the hosting environment or connected systems. For businesses relying on this plugin for appointment scheduling, this vulnerability threatens customer data confidentiality and service availability, potentially damaging reputation and causing financial loss. The vulnerability’s network accessibility and lack of required authentication or user interaction increase the likelihood of exploitation, making it a critical risk for WordPress sites globally.

To mitigate CVE-2024-7350, organizations should immediately update the BookingPress plugin to a patched version once available. Until a patch is released, administrators should disable the 'Auto login user after successful booking' feature to prevent exploitation. Additionally, site owners should audit user accounts for suspicious logins and enforce strong email verification and monitoring. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious booking requests or login attempts can provide temporary protection. Regular backups and incident response plans should be in place to recover from potential compromises. Monitoring plugin updates and subscribing to security advisories from the vendor and WordPress security communities is critical to timely remediation.