Cyber Resilience

CVE-2024-30516

High

Published: 05 January 2026

Published
05 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0016 37.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-30516 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-30516 is an Improper Validation of Specified Quantity in Input vulnerability in the SaasProject Booking Package WordPress plugin. This flaw allows accessing functionality not properly constrained by ACLs and affects all versions from n/a through 1.6.27. The vulnerability is associated with CWE-1284 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact integrity violations, such as manipulating prices in the booking system, without affecting confidentiality or availability.

The Patchstack advisory documents this as a price manipulation vulnerability in WordPress Booking Package plugin version 1.6.27 and provides details on the issue.

EU & UK References

Vulnerability details

Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated exploitation of public-facing WordPress plugin via improper input validation for price manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27384Shared CWE-1284
CVE-2026-5260Shared CWE-1284
CVE-2026-44826Shared CWE-1284
CVE-2026-3381Shared CWE-1284
CVE-2025-55398Shared CWE-1284
CVE-2023-54337Shared CWE-1284
CVE-2026-8047Shared CWE-1284
CVE-2026-1092Shared CWE-1284
CVE-2026-30573Shared CWE-1284
CVE-2025-14513Shared CWE-1284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of specified quantity in input by requiring validation of external inputs before processing in the booking plugin.

prevent

Enforces access control policies to constrain functionality by ACLs, preventing unauthorized access and manipulation such as price changes.

prevent

Requires timely identification, reporting, and correction of flaws like this input validation vulnerability in the WordPress plugin.

References