CVE-2022-37344: 
WordPress vulnerability analysis and mitigation

A Missing Access Control vulnerability was identified in the PHP Crafts Accommodation System WordPress plugin versions 1.0.1 and below. The vulnerability was discovered and disclosed in August 2022, with the CVE identifier CVE-2022-37344 being assigned on August 9, 2022. The affected software is a WordPress plugin designed for managing accommodation systems (WordPress Plugin).

The vulnerability is classified as a Missing Access Control issue (CWE-264) where the plugin fails to implement proper authorization checks for various actions. This allows users with roles as low as subscriber to perform unauthorized actions. The vulnerability received a CVSS v3.1 Base Score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Patchstack assigned a slightly lower CVSS score of 7.6 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (NVD Database).

The vulnerability allows authenticated users with subscriber-level access to perform unauthorized actions within the WordPress installation. This could potentially lead to unauthorized access to sensitive information, modification of content, and other privileged operations that should be restricted to higher-level roles (WPScan).

As of August 24, 2022, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to remove the plugin from their WordPress installations as there are no patches available (WordPress Plugin).