CVE-2024-8794 MEDIUM

CVE-2024-8794: BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset

Vendor Bookingalgorithms
Product BA Book Everything
Weakness CWE-620 · Unverified password change
Published September 24, 2024
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.

Key dates

02Disclosure timeline

September 24, 2024 CVE published
April 8, 2026 Record updated