CVE-2024-12274: 
WordPress vulnerability analysis and mitigation

The BookingPress Appointment Booking Calendar Plugin and Scheduling Plugin for WordPress versions before 1.1.23 contains a sensitive data disclosure vulnerability (CVE-2024-12274). The vulnerability exists in the export settings functionality which exports data to a public folder with easily guessable filenames, allowing unauthenticated attackers to access the exported files if they exist (WPScan).

The vulnerability stems from the plugin's export functionality which saves exported data in a predictable location under the wp-content/uploads/bookingpressexportrecords/ directory with filenames following the pattern 'bookingpressexportdata-X.txt' where X is a sequential number. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no privileges required (NVD).

When exploited, this vulnerability can lead to the exposure of sensitive information including WordPress usernames, hashed passwords, email addresses, phone numbers, and SMTP passwords of both administrators and booking users (WPScan).

The vulnerability has been fixed in version 1.1.23 of the BookingPress plugin. Site administrators should update to this version or later to protect against this vulnerability (WPScan).