CVE-2024-9450 is a medium-severity vulnerability classified as CWE-352 (Cross-Site Request Forgery) affecting the Free Booking Plugin for Hotels, Restaurants and Car Rentals, a WordPress plugin used to manage bookings for hospitality and rental services. The vulnerability exists in versions prior to 1.3.15 due to the absence of proper CSRF protections when updating plugin settings. Specifically, the plugin does not implement any CSRF token or verification mechanism to ensure that requests to change configuration settings originate from legitimate, authorized users. This flaw allows an attacker to craft malicious web requests that, when executed by a logged-in subscriber (a user role with limited privileges in WordPress), can alter the plugin’s settings without the user’s consent or knowledge. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) suggests the attack can be performed remotely over the network without authentication or user interaction, affecting confidentiality and integrity but not availability. Although the subscriber role typically has limited permissions, the ability to change plugin settings could lead to unauthorized modifications that may impact booking operations or data confidentiality. No known exploits are currently reported in the wild, and no patches or vendor advisories are linked, indicating that mitigation may require manual updates or configuration changes once available. The vulnerability is particularly relevant for websites using this plugin to manage bookings, which may include small to medium hospitality businesses and rental services relying on WordPress infrastructure.

For European organizations, especially those in the hospitality, restaurant, and car rental sectors using WordPress with this plugin, the vulnerability poses a risk of unauthorized configuration changes that could disrupt booking processes or expose sensitive customer data. Although the subscriber role is limited, attackers exploiting this flaw could manipulate settings to redirect bookings, alter pricing, or leak confidential information, undermining customer trust and operational integrity. This could lead to financial losses, reputational damage, and regulatory compliance issues under GDPR if personal data is compromised. The attack does not require user interaction or authentication, increasing the risk of automated exploitation attempts. Given the widespread use of WordPress in Europe and the importance of the hospitality sector to many European economies, the vulnerability could have a notable impact if left unaddressed.

Organizations should immediately verify if they are using the Free Booking Plugin for Hotels, Restaurants and Car Rentals and check the plugin version. If the version is prior to 1.3.15, they should upgrade to the latest version once it becomes available that includes CSRF protections. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block suspicious POST requests targeting the plugin’s settings endpoints. Additionally, restricting subscriber role capabilities to the minimum necessary and monitoring for unusual configuration changes can reduce risk. Employing security plugins that enforce CSRF tokens or adding custom nonce verification in the plugin code (if feasible) can provide interim protection. Regularly auditing user roles and permissions, and educating users about phishing and social engineering risks, will further mitigate exploitation likelihood.