CVE-2024-2844 - Vulnerability Details - OpenCVE

ReportizFlow

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Easyappointments	Easyappointments

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-29T05:35:33.762Z

Updated: 2024-08-01T19:25:42.151Z

Reserved: 2024-03-22T19:57:07.496Z

Link: CVE-2024-2844

Vulnrichment

Updated: 2024-07-31T19:47:09.899Z

NVD

Status : Awaiting Analysis

Published: 2024-03-29T06:15:08.153

Modified: 2024-11-21T09:10:39.643

Link: CVE-2024-2844

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2844", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-03-22T19:57:07.496Z", "datePublished": "2024-03-29T05:35:33.762Z", "dateUpdated": "2024-08-01T19:25:42.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-29T05:35:33.762Z"}, "affected": [{"vendor": "loncar", "product": "Easy Appointments", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.11.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2024-03-28T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "easyappointments", "product": "easyappointments", "cpes": ["cpe:2.3:a:easyappointments:easyappointments:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.11.18", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T19:34:22.990435Z", "id": "CVE-2024-2844", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T19:47:15.230Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:42.151Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-31T19:34:22.990435Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:easyappointments:easyappointments:*:*:*:*:*:wordpress:*:*"], "vendor": "easyappointments", "product": "easyappointments", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.11.18"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T19:47:09.899Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "loncar", "product": "Easy Appointments", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.11.18"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-28T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-29T05:35:33.762Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2844", "state": "PUBLISHED", "dateUpdated": "2024-07-31T19:47:15.230Z", "dateReserved": "2024-03-22T19:57:07.496Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-29T05:35:33.762Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders."}, {"lang": "es", "value": "El complemento Easy Appointments para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una validaci\u00f3n insuficiente del usuario en la funci\u00f3n ajax_cancel_appointment() en todas las versiones hasta la 3.11.18 incluida. Esto hace posible que atacantes no autenticados cancelen los pedidos de otros usuarios."}], "id": "CVE-2024-2844", "lastModified": "2024-11-21T09:10:39.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-29T06:15:08.153", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380"}, {"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail="}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/src/ajax.php#L380"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3059359%40easy-appointments&new=3059359%40easy-appointments&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0d8ac01-ac73-47ea-839b-edc820436f27?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis"}