Exploit for WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR CVE-2023-1129

Name: Exploit for WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR CVE-2023-1129
Rating: 5 (30 reviews)

2023-04-03 | CVSS 4.0

## https://sploitus.com/exploit?id=WPEX-ID:D40479DE-FB04-41B8-9FB0-41B9EEFBD8AF
1. Book (or cancel booking) an event using an authenticated user.
2. Intercept the request using an HTTP Proxy (e.g., BurpSuite).
3. Change the `idUser` parameter in the request, and forward it.

Note: Since the `idUser` value is an incremental numerical value, it is easily brute forced.