LiveActive security incident?Get immediate response
CVE Record

CVE-2024-13821: WP Booking Calendar <= 10.10 - Unauthenticated Post-Confirmation Booking Manipulation

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-13821 affects the WP Booking Calendar WordPress plugin through version 10.10. An unauthenticated person could alter their own booking after it was confirmed, even after approval. This is mainly an integrity issue for organizations relying on approved bookings for scheduling, capacity, access, payments, or service commitments.

Executive priority

Treat as a moderate-priority integrity risk. Prioritize sites where booking changes affect revenue, regulated services, physical access, staffing, or customer commitments.

Technical view

The issue is improper authorization or re-verification after booking creation. Network attackers need no account, interaction, or elevated privileges. The CVSS 3.1 score is 5.3 with low integrity impact only. Sources identify CWE-285 and describe post-confirmation manipulation of approved bookings in WP Booking Calendar through 10.10.

Likely exposure

Public WordPress sites running WP Booking Calendar up to and including 10.10 are the likely exposure, especially where unauthenticated users can create bookings and later modify them.

Exploitation context

The source bundle does not show CISA KEV listing or confirmed active exploitation. It describes unauthenticated manipulation of confirmed bookings, but not broader site takeover, data disclosure, or code execution.

Researcher notes

Evidence identifies the vulnerability class and affected range, but the source bundle does not provide a named fixed version or exploitation evidence. Validate against vendor release notes and the referenced WordPress Trac changeset before asserting remediation status.

Mitigation direction

  • Inventory WordPress sites using WP Booking Calendar and record installed versions.
  • Check vendor and WordPress plugin guidance for the fixed release before upgrading.
  • Update affected plugin installations when an applicable vendor-supported fix is available.
  • Review approved bookings for unexpected post-approval changes.
  • Temporarily disable public booking changes if business impact is unacceptable.

Validation and detection

  • Confirm whether WP Booking Calendar is installed on each WordPress site.
  • Verify plugin version is not 10.10 or earlier after remediation.
  • Review application logs and booking audit trails for suspicious approved-booking edits.
  • Confirm booking-change workflows require appropriate re-verification or authorization.
  • Document any compensating controls if immediate upgrade is not possible.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-285: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-13821 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
4Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N3.91.4Wordfence

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2024-13821Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Source timelineWordfence

    Disclosed

  3. CVE publishedCVE Program

    The CVE record was published.

  4. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
wpdevelopBooking Calendar0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-285 · source CWE mapping

Improper Authorization

Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.