CVE-2025-4691

5/31/2025 12:15:20 PM

2 روز قبل

Reporter :security@wordfence.com

Modified :5/31/2025 12:15:20 PM

Problem Data :CWE-639

Description

The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.

Cvss Version 3.1

5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	Low
Integrity Impact	None
Availability Impact	None

EPSS

Epss Score	0.00023
Epss Percentile	0.04621

ریسک پائین:: این آسیب پذیری احتمال ارائه Exploit پائینی دارد. به روز رسانی و نظارت معمولی را لحاظ نمائید.

پیشنهادات:

به بروزرسانی مداوم سیستم و یا شبکه خود ادامه دهید.
از بروزرسانی های آتی این آسیب پذیری مطلع شوید.

Reference

لینک	منبع	تگ ها
https://plugins.trac.wordpress.org/changeset/3300408/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9953b3-dd09-4c80-be11-4daf3bbac720?source=cve
https://plugins.trac.wordpress.org/browser/easync-booking/tags/1.3.17/easync.php#L4859
https://plugins.trac.wordpress.org/changeset/3293607/
https://plugins.trac.wordpress.org/changeset/3243634/