The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.
Security readout for executives and security teams
Plain-English summary
CVE-2024-13821 affects the WP Booking Calendar WordPress plugin through version 10.10. An unauthenticated person could alter their own booking after it was confirmed, even after approval. This is mainly an integrity issue for organizations relying on approved bookings for scheduling, capacity, access, payments, or service commitments.
Executive priority
Treat as a moderate-priority integrity risk. Prioritize sites where booking changes affect revenue, regulated services, physical access, staffing, or customer commitments.
Technical view
The issue is improper authorization or re-verification after booking creation. Network attackers need no account, interaction, or elevated privileges. The CVSS 3.1 score is 5.3 with low integrity impact only. Sources identify CWE-285 and describe post-confirmation manipulation of approved bookings in WP Booking Calendar through 10.10.
Likely exposure
Public WordPress sites running WP Booking Calendar up to and including 10.10 are the likely exposure, especially where unauthenticated users can create bookings and later modify them.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. It describes unauthenticated manipulation of confirmed bookings, but not broader site takeover, data disclosure, or code execution.
Researcher notes
Evidence identifies the vulnerability class and affected range, but the source bundle does not provide a named fixed version or exploitation evidence. Validate against vendor release notes and the referenced WordPress Trac changeset before asserting remediation status.
Mitigation direction
Inventory WordPress sites using WP Booking Calendar and record installed versions.
Check vendor and WordPress plugin guidance for the fixed release before upgrading.
Update affected plugin installations when an applicable vendor-supported fix is available.
Review approved bookings for unexpected post-approval changes.
Temporarily disable public booking changes if business impact is unacceptable.
Validation and detection
Confirm whether WP Booking Calendar is installed on each WordPress site.
Verify plugin version is not 10.10 or earlier after remediation.
Review application logs and booking audit trails for suspicious approved-booking edits.
Confirm booking-change workflows require appropriate re-verification or authorization.
Document any compensating controls if immediate upgrade is not possible.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-285: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-285 · source CWE mapping
Improper Authorization
Improper Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.