Search criteria
2 vulnerabilities found for Scheduling Plugin – Online Booking for WordPress by startbooking
CVE-2024-1634 (GCVE-0-2024-1634)
Vulnerability from nvd – Published: 2024-06-18 02:37 – Updated: 2026-04-08 16:56
VLAI
Title
Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection
Summary
The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| startbooking | Scheduling Plugin – Online Booking for WordPress |
Affected:
0 , ≤ 3.5.10
(semver)
|
|
| startbooking | scheduling_plugin |
Affected:
0 , ≤ 3.5.10
(custom)
cpe:2.3:a:startbooking:scheduling_plugin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:startbooking:scheduling_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scheduling_plugin",
"vendor": "startbooking",
"versions": [
{
"lessThanOrEqual": "3.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-18T13:51:59.512257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T13:54:50.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:20.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e642f9-74ff-47f1-a49d-99c8fdb26f4a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/calendar-booking/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scheduling Plugin \u2013 Online Booking for WordPress",
"vendor": "startbooking",
"versions": [
{
"lessThanOrEqual": "3.5.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scheduling Plugin \u2013 Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027cbsb_disconnect_settings\u0027 function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:41.676Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e642f9-74ff-47f1-a49d-99c8fdb26f4a?source=cve"
},
{
"url": "https://wordpress.org/plugins/calendar-booking/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-17T14:10:37.000Z",
"value": "Disclosed"
}
],
"title": "Scheduling Plugin \u2013 Online Booking for WordPress \u003c= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1634",
"datePublished": "2024-06-18T02:37:12.621Z",
"dateReserved": "2024-02-19T17:10:34.228Z",
"dateUpdated": "2026-04-08T16:56:41.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1634 (GCVE-0-2024-1634)
Vulnerability from cvelistv5 – Published: 2024-06-18 02:37 – Updated: 2026-04-08 16:56
VLAI
Title
Scheduling Plugin – Online Booking for WordPress <= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection
Summary
The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| startbooking | Scheduling Plugin – Online Booking for WordPress |
Affected:
0 , ≤ 3.5.10
(semver)
|
|
| startbooking | scheduling_plugin |
Affected:
0 , ≤ 3.5.10
(custom)
cpe:2.3:a:startbooking:scheduling_plugin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:startbooking:scheduling_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scheduling_plugin",
"vendor": "startbooking",
"versions": [
{
"lessThanOrEqual": "3.5.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-18T13:51:59.512257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-18T13:54:50.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:20.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e642f9-74ff-47f1-a49d-99c8fdb26f4a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/calendar-booking/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scheduling Plugin \u2013 Online Booking for WordPress",
"vendor": "startbooking",
"versions": [
{
"lessThanOrEqual": "3.5.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scheduling Plugin \u2013 Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027cbsb_disconnect_settings\u0027 function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:41.676Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e642f9-74ff-47f1-a49d-99c8fdb26f4a?source=cve"
},
{
"url": "https://wordpress.org/plugins/calendar-booking/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-17T14:10:37.000Z",
"value": "Disclosed"
}
],
"title": "Scheduling Plugin \u2013 Online Booking for WordPress \u003c= 3.5.10 - Missing Authorization to Unauthenticated Service Disconnection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1634",
"datePublished": "2024-06-18T02:37:12.621Z",
"dateReserved": "2024-02-19T17:10:34.228Z",
"dateUpdated": "2026-04-08T16:56:41.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}