CVE-2024-8432: 
WordPress vulnerability analysis and mitigation

The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress (CVE-2024-8432) contains a vulnerability related to unauthorized modification of data. The issue affects all versions up to and including 5.0.48, discovered and reported on September 23, 2024. The vulnerability stems from a missing capability check on the save_appearance() function (NVD).

The vulnerability is characterized by a missing authorization check in the save_appearance() function, which allows authenticated users with Subscriber-level access or higher to modify the booking form's CSS. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). The weakness is classified as CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to modify the CSS settings of the booking form. This could potentially lead to unauthorized customization of the booking form's appearance, affecting the visual presentation of the plugin (NVD).

Users are advised to update to a version newer than 5.0.48 which contains the security fix. The vulnerability has been patched in subsequent releases (WordPress Plugin).