CVE-2022-0709: 
WordPress vulnerability analysis and mitigation

The Booking Package WordPress plugin before version 1.5.29 contains a sensitive data disclosure vulnerability (CVE-2022-0709). The vulnerability was discovered by huli of Cymetrics and publicly disclosed on March 9, 2022. The issue affects the plugin's calendar export functionality, where a required token for exporting the iCal representation of the booking calendar is exposed to unauthenticated users (WPScan Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). When a guest makes a booking by sending a request with 'action: package_app_public_action' and 'mode: sendbooking', the response includes an 'icalToken' field that should be restricted (WPScan Advisory).

If the plugin has iCal integration enabled, an attacker can exploit this vulnerability to download all booking data, including sensitive information such as email addresses and names of all customers. This represents a significant privacy breach for businesses using the affected plugin version (WPScan Advisory).

The vulnerability has been fixed in version 1.5.29 of the Booking Package WordPress plugin. Users are advised to update to this version or later to protect against unauthorized access to sensitive booking information (WPScan Advisory).