[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPHSp0VWcVkl59WSPNnRfFFgCmYqhywoe5u2Po5bARZo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-27405","appointment-booking-plugin-for-woocommerce-wpbookingly-all-in-one-service-manager-missing-authorization-2","Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager \u003C= 1.2.9 - Missing Authorization","The Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.","service-booking-manager",null,"\u003C=1.2.9","1.3.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-20 00:00:00","2026-05-26 19:17:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd9ce0bef-da72-441a-8de0-89c77115a38c?source=api-prod",7,[],"researched",false,3,"This exploitation research plan targets a Missing Authorization vulnerability in the **WpBookingly | All-in-One Service Manager** plugin (version \u003C= 1.2.9).\n\n### 1. Vulnerability Summary\nThe `service-booking-manager` plugin (WpBookingly) fails to implement proper capability checks (e.g., `current_user_can( 'manage_options' )`) on its AJAX administrative functions. While the functions are registered under the `wp_ajax_` hook (restricting them to authenticated users), they do not verify if the user has the required administrative privileges. This allows any authenticated user with **Author** level permissions or higher to perform administrative actions, such as modifying plugin settings or managing bookings.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wpbookingly_save_settings` (Inferred based on standard plugin architecture) or `wpbookingly_delete_booking`.\n*   **Parameters:** `action`, `nonce`, and the settings payload (e.g., `settings_data`).\n*   **Authentication:** Authenticated (Author level and above).\n*   **Precondition:** The attacker must have a valid session cookie for an Author-level user.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers AJAX handlers in a class (likely `WpBookingly_Admin` or `WpBookingly_Ajax`) using:\n    `add_action( 'wp_ajax_wpbookingly_save_settings', array( $this, 'save_settings' ) );`\n2.  **Missing Check:** The `save_settings` function likely verifies a nonce using `check_ajax_referer` but fails to call `current_user_can()`.\n3.  **Sink:** The function processes the `$_POST` data and calls `update_option( 'wpbookingly_settings', ... )`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely enqueues administrative scripts and localizes a nonce for the admin interface. Because the vulnerability specifically mentions **Author-level** access, it is highly probable that the plugin's menu or scripts are loaded for Authors as well as Admins.\n\n1.  **Identify Script Localization:** Search for `wp_localize_script` in the plugin source to find the variable name.\n2.  **Target Variable:** `wpbookingly_admin_params` or `wpbookingly_obj` (Inferred).\n3.  **Key:** `nonce` or `security`.\n4.  **Acquisition Steps:**\n    *   Create an Author user and log in.\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002F`).\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.wpbookingly_admin_params?.nonce || window.wpbookingly_obj?.security\")`\n\n### 5. Exploitation Strategy\nWe will attempt to modify the plugin's global settings to demonstrate unauthorized modification.\n\n*   **Step 1:** Log in as an Author user.\n*   **Step 2:** Navigate to `\u002Fwp-admin\u002F` and extract the AJAX nonce.\n*   **Step 3:** Construct a malicious POST request to update plugin settings. We will attempt to change a benign but verifiable setting, such as the \"Booking Success Message\" or \"Admin Email\".\n\n**HTTP Request (via `http_request`):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=wpbookingly_save_settings&security=[NONCE]&settings[general][admin_email]=attacker@example.com&settings[general][success_message]=Exploited\n```\n*(Note: Parameter names like `settings[general]` are inferred and must be verified against the `save_settings` function logic.)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** WpBookingly version 1.2.9.\n2.  **Create User:**\n    `wp user create attacker attacker@example.com --role=author --user_pass=password123`\n3.  **Plugin Configuration:** Ensure the plugin is activated and at least one booking service is created to populate default options.\n\n### 7. Expected Results\n*   **Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **State Change:** The plugin's settings stored in the database (option: `wpbookingly_settings`) will be updated with the attacker-supplied values.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check if the admin email in the plugin settings has been changed\nwp option get wpbookingly_settings --format=json | jq '.[general][admin_email]'\n```\nIf the output is `attacker@example.com`, the exploitation of the Missing Authorization is confirmed.\n\n### 9. Alternative Approaches\nIf `wpbookingly_save_settings` is not the vulnerable action, investigate the following alternatives:\n\n1.  **Action:** `wpbookingly_delete_booking`\n    *   **Goal:** Unauthorized deletion of customer bookings.\n    *   **Requirement:** Identify a valid booking ID (`wp_post` of type `wpbookingly_booking`).\n2.  **Action:** `wpbookingly_export_bookings`\n    *   **Goal:** Unauthorized data exfiltration of customer details.\n    *   **Target:** Sensitive customer PII (names, emails, phone numbers).\n3.  **Nonce Bypass:** If `check_ajax_referer` is missing entirely, the exploit can be performed via CSRF (though the CVE specifically notes authenticated author access, suggesting the nonce might be present but the capability check is not).","The WpBookingly plugin for WordPress fails to perform capability checks on its AJAX administrative functions, such as those used for saving plugin settings. This allows authenticated users with Author-level permissions or higher to modify plugin configurations or perform other administrative actions by providing a valid security nonce.","\u002F\u002F Inferred from plugin architecture and research plan\n\u002F\u002F Likely located in an admin class or AJAX handler file\n\nadd_action( 'wp_ajax_wpbookingly_save_settings', array( $this, 'save_settings' ) );\n\npublic function save_settings() {\n    \u002F\u002F Only verifies the nonce, fails to check if the user has administrative privileges\n    check_ajax_referer( 'wpbookingly_admin_nonce', 'security' );\n\n    if ( isset( $_POST['settings_data'] ) ) {\n        $settings = $_POST['settings_data'];\n        update_option( 'wpbookingly_settings', $settings );\n        wp_send_json_success( array( 'message' => 'Settings saved successfully' ) );\n    }\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-wpbookingly-admin-ajax.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-wpbookingly-admin-ajax.php\n@@ -15,6 +15,10 @@\n     public function save_settings() {\n         check_ajax_referer( 'wpbookingly_admin_nonce', 'security' );\n \n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( array( 'message' => 'Unauthorized access' ) );\n+        }\n+\n         if ( isset( $_POST['settings_data'] ) ) {\n             $settings = $_POST['settings_data'];\n             update_option( 'wpbookingly_settings', $settings );","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php. An attacker must first obtain a valid session as an Author-level user. Once authenticated, the attacker extracts the security nonce (likely localized in the browser as part of the wpbookingly_admin_params or similar JavaScript object) by visiting the WordPress dashboard. The attacker then sends a POST request to admin-ajax.php with the 'action' parameter set to 'wpbookingly_save_settings' (or other administrative actions), the extracted nonce in the 'security' parameter, and a 'settings_data' payload containing the desired configuration changes. This allows the attacker to overwrite plugin options like administrative email addresses or service configurations.","gemini-3-flash-preview","2026-06-04 22:52:01","2026-06-04 22:52:29",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fservice-booking-manager\u002Ftags"]