Cyber Posture

CVE-2024-13677

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13677 is a high-severity Missing Authorization (CWE-862) vulnerability in Istmoplugins Get Bookings Wp. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for updating user details like email addresses, directly preventing unauthorized modifications that enable account takeover.

AC-6 Least Privilege good match
prevent

Employs least privilege to restrict subscriber-level users from performing administrative actions such as changing other users' email addresses.

AC-2 Account Management partial match
prevent

Establishes procedures for secure account management, including identity validation before modifying user attributes to mitigate improper updates.

NVD Description

The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity…

more

prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Deeper analysisAI

CVE-2024-13677 is a privilege escalation vulnerability affecting the GetBookingsWP – Appointments Booking Calendar Plugin for WordPress in all versions up to and including 1.1.27. The issue stems from the plugin failing to properly validate a user's identity before allowing updates to their details, such as email addresses, which is tied to CWE-862 (Missing Authorization). It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant confidentiality, integrity, and availability impacts.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability to update the email addresses of arbitrary users, including administrators. By changing an administrator's email, the attacker can then trigger a password reset process using the new email address under their control, resulting in full account takeover and potential privilege escalation to gain administrative control over the WordPress site.

Advisories and further details are available from sources including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b6b0dc03-3715-41f8-8888-1cccddb39c0b?source=cve and the plugin's source code at https://plugins.trac.wordpress.org/browser/get-bookings-wp/trunk/classes/user.php, which highlight the flawed user update logic in the user.php file.

Details

CWE(s)
CWE-862

Affected Products

istmoplugins
get bookings wp
≤ 1.1.27

CVEs Like This One

CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2024-12810Shared CWE-862

References