[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fJvbOnA_5Yl85GuO30eGCLdspgCADPclGS2ps8L_m_38":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-25444","appointment-booking-plugin-for-woocommerce-wpbookingly-all-in-one-service-manager-missing-authorization","Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager \u003C= 1.2.9 - Missing Authorization","The Appointment Booking Plugin for WooCommerce – WpBookingly | All-in-One Service Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.","service-booking-manager",null,"\u003C=1.2.9","1.3.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-06-01 16:13:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd230a727-0838-4b64-99f6-c91a362aacf7?source=api-prod",7,[],"researched",false,3,"This research plan targets **CVE-2026-25444**, a missing authorization vulnerability in the **WpBookingly** (service-booking-manager) plugin for WordPress. This vulnerability allows authenticated users with Contributor-level access to execute unauthorized actions.\n\n---\n\n### 1. Vulnerability Summary\nThe **Appointment Booking Plugin for WooCommerce – WpBookingly** (versions \u003C= 1.2.9) fails to implement proper authorization checks (e.g., `current_user_can()`) in one or more of its AJAX handler functions. While the plugin may check if a user is logged in (via the `wp_ajax_` hook registration), it does not verify if the logged-in user possesses the necessary administrative capabilities to perform sensitive operations, such as modifying plugin settings or managing booking data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Authentication:** Authenticated, Contributor-level role (`PR:L`).\n*   **Vulnerable Action:** An AJAX action registered via `add_action( 'wp_ajax_...', ... )` that lacks a capability check. \n*   **Target Functionality:** Likely candidate functions include settings updates, service management, or staff management (e.g., `wpbookingly_save_settings`, `wpbookingly_delete_service`).\n*   **Preconditions:** The plugin must be active, and a valid nonce must be obtained (if enforced).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The attacker sends a `POST` request to `admin-ajax.php` with a specific `action` parameter.\n2.  **Hook Trigger:** WordPress triggers the corresponding `wp_ajax_{action}` hook.\n3.  **Vulnerable Callback:** The callback function (likely in an `AJAX` or `Admin` class) is executed.\n4.  **Missing Check:** The function may call `check_ajax_referer()` (verifying the nonce) but fails to call `current_user_can( 'manage_options' )` or a similar check.\n5.  **Sink:** The function proceeds to update the database via `update_option()`, `$wpdb->update()`, or `$wpdb->delete()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its admin interface. To obtain this as a Contributor:\n\n1.  **Identify the Script Handle:** Search for `wp_localize_script` in the plugin code to find the JS object name.\n2.  **Locate the Page:** Find an admin page accessible to Contributors where the plugin scripts are loaded. If the plugin only loads scripts on its own settings page (usually restricted), check if scripts are loaded on the Dashboard or Profile page.\n3.  **Execution:**\n    *   Log in as a **Contributor**.\n    *   Navigate to `\u002Fwp-admin\u002Findex.php`.\n    *   Use `browser_eval` to search for the nonce:\n        ```javascript\n        \u002F\u002F Common patterns for this plugin (inferred)\n        window.wpbookingly_ajax?.nonce || window.wp_bookingly_vars?.security\n        ```\n    *   *Verification:* Grep the source for `wp_create_nonce` to identify the exact action string and the variable name used in `wp_localize_script`.\n\n### 5. Exploitation Strategy\n\n#### Discovery Phase (Automated Agent)\nBefore sending the exploit, the agent must identify the specific vulnerable action:\n1.  `grep -rn \"add_action( 'wp_ajax_\" .` inside the plugin directory.\n2.  Inspect the callback functions for those actions. Look for any function that **does not** contain the string `current_user_can`.\n3.  Target actions related to `settings`, `save`, `delete`, or `update`.\n\n#### Exploit Step: Unauthorized Option Update (Example)\n*   **Action:** `wpbookingly_save_settings` (inferred)\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=wpbookingly_save_settings&nonce=[NONCE]&option_name=users_can_register&option_value=1\n    ```\n    *(Note: If the function updates plugin-specific settings, target a setting that impacts security, such as an \"authorized roles\" setting or a redirect URL.)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Install WpBookingly version 1.2.9.\n2.  **Create User:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n3.  **Identify Plugin Setting:** Find a plugin setting to toggle for verification (e.g., `wpbookingly_booking_mode`).\n\n### 7. Expected Results\n*   **Successful Exploit:** The server returns a success response (e.g., `{\"success\":true}` or `1`).\n*   **Database Change:** The targeted setting or data is modified in the `wp_options` or plugin-specific table.\n*   **Bypass:** The action is completed despite the user only having `contributor` permissions.\n\n### 8. Verification Steps\nAfter the `http_request`, verify the change using WP-CLI:\n```bash\n# Check if a global option was changed\nwp option get wpbookingly_settings\n\n# Check if a specific service was deleted\u002Fmodified\nwp db query \"SELECT * FROM wp_wpbookingly_services\"\n```\n\n### 9. Alternative Approaches\nIf the `wpbookingly_save_settings` action is protected or doesn't exist, search for:\n*   **Export\u002FDownload Actions:** Look for `wp_ajax_wpbookingly_export_bookings`. This could lead to unauthorized data disclosure (CVSS:C).\n*   **Staff\u002FService Management:** Look for `wp_ajax_wpbookingly_delete_staff`. This allows a Contributor to delete staff members or services, causing a Denial of Service for the booking system.\n*   **Check for Nonce Reuse:** If the nonce check is missing entirely (not just the capability check), the attack can be performed as a CSRF. Check if `check_ajax_referer` is missing in the identified callback.","The WpBookingly plugin for WordPress (up to version 1.2.9) fails to implement proper capability checks within its AJAX handler functions. This allows authenticated attackers, such as those with Contributor-level access, to perform unauthorized administrative actions including modifying plugin settings, managing services, or deleting staff members.","To exploit this vulnerability, an attacker must first authenticate as a user with at least Contributor-level permissions. They need to retrieve a valid security nonce, typically found in localized JavaScript variables like 'wpbookingly_ajax' or 'wp_bookingly_vars' on admin dashboard pages. Using this nonce, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with an 'action' parameter corresponding to a vulnerable callback (e.g., 'wpbookingly_save_settings' or 'wpbookingly_delete_staff'). Because the plugin only verifies the nonce and not the user's capabilities, the request will be processed, allowing the attacker to manipulate plugin data or settings.","gemini-3-flash-preview","2026-06-04 20:58:06","2026-06-04 20:58:30",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fservice-booking-manager\u002Ftags"]