CVE-2023-49758: 
WordPress vulnerability analysis and mitigation

The WP Booking System WordPress plugin contains a Missing Authorization vulnerability (CVE-2023-49758) that affects versions up to and including 2.0.19.2. The vulnerability was discovered by Abdi Pranata and publicly disclosed on December 4, 2023. This security issue is present in the Veribo, Roland Murg WP Booking System plugin and involves incorrectly configured access control security levels (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the wpbssavecalendardata function. This security flaw has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified under CWE-862 (Missing Authorization) and falls into the OWASP Top 10 category A5: Broken Access Control (WPScan, [Patchstack](https://patchstack.com/database/wordpress/plugin/wp-booking-system/vulnerability/wordpress-wp-booking-system-plugin-2-0-19-2-broken-access-control-vulnerability?s_id=cve)).

The vulnerability allows authenticated attackers with subscriber-level access and above to save calendar data without proper authorization. This broken access control issue could lead to unprivileged users executing certain higher privileged actions (Patchstack).

The vulnerability has been fixed in version 2.0.19.3 of the WP Booking System plugin. Users are advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).