What the vulnerability does
01Description
Missing Authorization vulnerability in shiptrack Booking Calendar and Notification booking-calendar-and-notification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Calendar and Notification: from n/a through <= 4.0.3.
Explanation of Vulnerability in Simple Terms
02Summary
Booking Calendar and Notification versions 4.0.3 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify data on affected sites. An attacker can send network requests without credentials to alter booking or notification records. Sites running this product should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Modify booking and notification data without logging in.
Potential impact on your site
04Site Impact
Attackers can alter bookings and notifications, disrupting service and potentially causing data loss.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 4, 2025
CVE published
April 28, 2026
Record updated