Share
## https://sploitus.com/exploit?id=WPEX-ID:D40479DE-FB04-41B8-9FB0-41B9EEFBD8AF
1. Book (or cancel booking) an event using an authenticated user.
2. Intercept the request using an HTTP Proxy (e.g., BurpSuite).
3. Change the `idUser` parameter in the request, and forward it.

Note: Since the `idUser` value is an incremental numerical value, it is easily brute forced.