Appointment Booking Calendar Vulnerability— Simply Schedule Appointments Booking Plugin – Cross-Site Request Forgery to Plugin Data Reset – CVE-2024-1760 | WordPress Plugin Vulnerability Report
Plugin Name: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Key Information:
- Software Type: Plugin
- Software Slug: simply-schedule-appointments
- Software Status: Active
- Software Author: croixhaug
- Software Downloads: 943,138
- Active Installs: 60,000
- Last Updated: March 7, 2024
- Patched Versions: 1.6.6.24
- Affected Versions: <= 1.6.6.20
Vulnerability Details:
- Name: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.6.20
- Title: Cross-Site Request Forgery to Plugin Data Reset
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVE: CVE-2024-1760
- CVSS Score: 4.3
- Publicly Published: March 5, 2024
- Researcher: Krzysztof Zając - CERT PL
- Description: The vulnerability in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin arises from inadequate nonce validation in the ssa_factory_reset() function, rendering all versions up to 1.6.6.20 susceptible to Cross-Site Request Forgery (CSRF). This vulnerability allows unauthenticated attackers to reset the plugin's settings by deceiving an administrator into clicking a malicious link, potentially leading to data loss and disruption of service.
Summary:
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress has a vulnerability in versions up to and including 1.6.6.20 that exposes sites to Cross-Site Request Forgery attacks aimed at resetting plugin data. This vulnerability has been rectified in the patched version 1.6.6.24.
Detailed Overview:
Discovered by Krzysztof Zając from CERT PL, this CSRF vulnerability poses a tangible risk to websites utilizing the affected versions of the plugin. Since CSRF exploits the trust that a site has in the user's browser, it could lead to unauthorized commands being transmitted without the user's knowledge. The specific lack of nonce validation in the plugin's reset function could result in the unintended reset of plugin settings, causing inconvenience and potential loss of critical appointment data.
Advice for Users:
- Immediate Action: It is imperative for users to update to the patched version 1.6.6.24 promptly to mitigate the risk posed by this vulnerability.
- Check for Signs of Vulnerability: Administrators should monitor their sites for any unexpected changes in plugin settings, which may indicate exploitation.
- Alternate Plugins: Considering alternative appointment booking plugins with similar functionality and a strong security track record may provide an added layer of security while this issue is fully addressed.
- Stay Updated: Keeping all WordPress plugins, themes, and the core updated is crucial in protecting against known vulnerabilities and ensuring the security and functionality of your website.
Conclusion:
The quick response in addressing the vulnerability in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin with a patch underscores the critical nature of maintaining up-to-date software on your WordPress site. Website administrators are strongly advised to upgrade to version 1.6.6.24 or later to safeguard their online platforms against potential exploitation.