CVE-2023-25037 – Booking Calendar Contact Form <= 1.2.34 - Missing Authorization to Authenticated (Subscriber+) Feedback Form Submission

https://notcve.org/view.php?id=CVE-2023-25037

The Booking Calendar Contact Form plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cpdexbccf_feedback function called via the cpdexbccf_feedback AJAX action in versions up to, and including, 1.2.34. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to perform an unauthorized feedback form submission. • CWE-862: Missing Authorization •