CVE-2023-51354: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WebbaPlugins Appointment & Event Booking Calendar Plugin – Webba Booking for WordPress, affecting all versions up to and including 4.5.33. The vulnerability was reported by security researcher Skalucy and was disclosed on December 26, 2023 (Patchstack, WPScan).

The vulnerability stems from missing or incorrect nonce validation on an undisclosed function within the plugin. The severity of this vulnerability has been assessed with different CVSS scores: NIST assigned a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into clicking malicious links. While the specific impact details are not fully disclosed, CSRF vulnerabilities typically enable attackers to force authenticated users to execute unwanted actions under their current authentication level (Patchstack).

The vulnerability has been fixed in version 5.0 of the Webba Booking plugin. Users are advised to update to version 5.0 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).