Research Plan: CVE-2026-1083 - Stored XSS in Appointment Hour Booking

1. Vulnerability Summary

The Appointment Hour Booking plugin (<= 1.5.60) contains a stored cross-site scripting (XSS) vulnerability in the form builder interface. The plugin fails to sufficiently sanitize or escape the Min length/characters and Max length/characters configuration values for form fields. When an administrator (or attacker with admin-level access in a multisite/restricted environment) saves a form configuration containing a malicious payload in these fields, the script is stored in the database. The payload then executes when any user (typically an administrator) accesses the form builder to edit that specific form.

2. Attack Vector Analysis

• Vulnerable Endpoint: The administrative form builder page, typically accessed via wp-admin/admin.php?page=cp_appbooking.
• Vulnerable Action: Saving form configurations. This is usually a POST request to the same page or an AJAX action.
• Vulnerable Parameters: The payload is injected into the minlength or maxlength properties within the serialized or JSON-encoded form structure.
• Authentication: Requires Administrator-level privileges (manage_options).
• Preconditions: In a standard single-site installation, admins have the unfiltered_html capability, making this vulnerability technically "intended behavior" for them. However, in WordPress Multisite or installations where DISALLOW_UNFILTERED_HTML is defined as true, this represents a privilege escalation/security bypass.

3. Code Flow (Inferred)

1. Entry Point: The administrator navigates to the "Appointment Hour Booking" menu and selects "Edit" on a calendar/form.
2. Data Submission: The user modifies a field (e.g., a "Single Line Text" field) and sets a "Min Length" value.
3. Processing: When "Save Changes" is clicked, a POST request is sent. The plugin handles this in the admin initialization (likely admin_init or the menu page callback).
4. Storage: The plugin processes the form_structure parameter and saves it to the database (likely in the wp_options table under a key like CP_APPBOOKING_ID1_STRUC or within a custom table wp_cp_appbooking_calendars).
5. Sink: When the form builder is reloaded, the plugin retrieves the structure and outputs it into the page as part of a JavaScript object (to initialize the UI) or within HTML attributes. Due to lack of esc_attr() or json_encode() with proper flags, the payload breaks out of the context.

4. Nonce Acquisition Strategy

The form builder uses nonces for security. Since we are acting as an authenticated administrator, we can extract the nonce from the admin interface.

1. Identify Shortcode: The plugin's main functionality is triggered by the [CP_APPBOOKING_ID=1] (inferred) shortcode.
2. Create Setup Page:
   wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[CP_APPBOOKING_ID=1]'
3. Extract Nonce via Browser:
   Navigate to the admin page: /wp-admin/admin.php?page=cp_appbooking.
   The nonce is typically found in the HTML source or a JS variable.
   JS Variable (Inferred): window.cp_appbooking_params?.nonce or a hidden input named cp_appbooking_nonce.
   Extraction Command: browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value || document.querySelector('#cp_appbooking_nonce')?.value")

5. Exploitation Strategy

Step 1: Analyze the Form Structure

First, we must understand how the plugin sends the form structure. It is usually a JSON string in a POST parameter named form_structure.

Step 2: Craft the Payload

The payload must break out of a JSON string or an HTML attribute.
Payload: 123"><script>alert(document.domain)</script>

Step 3: Send the Malicious Update

We will perform an http_request as the Admin to update the form.

HTTP Request (Example):

• Method: POST
• URL: http://localhost:8080/wp-admin/admin.php?page=cp_appbooking&item=1
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • action: save_form (inferred)
  • _wpnonce: [EXTRACTED_NONCE]
  • form_structure: [{"name":"fieldname1","type":"text","minlength":"123\"><script>alert(document.domain)</script>","maxlength":"10"}] (Simplified JSON example)

Step 4: Trigger the XSS

Navigate to the form editor page:
http://localhost:8080/wp-admin/admin.php?page=cp_appbooking&item=1
The payload should execute upon page load as the builder renders the field settings.

6. Test Data Setup

1. Install and activate "Appointment Hour Booking" version 1.5.60.
2. Ensure an administrator user exists.
3. Optional: Disable unfiltered_html to simulate a restricted environment:
   wp config set DISALLOW_UNFILTERED_HTML true --raw
4. Create at least one booking calendar (usually one is created by default on install).

7. Expected Results

• The POST request to save the form should return a 200 OK or a 302 redirect.
• Upon navigating to the edit page for that form, a JavaScript alert box displaying the document domain should appear.
• The page source will reveal the unescaped string: minlength="123"><script>alert(document.domain)</script>".

8. Verification Steps

1. Verify Storage via CLI:
   wp db query "SELECT * FROM wp_options WHERE option_name LIKE 'CP_APPBOOKING_%'" (Check if payload is present in the option value).
   OR, if using a custom table:
   wp db query "SELECT * FROM wp_cp_appbooking_calendars"
2. Verify Execution: Use browser_navigate to the admin page and check for the presence of the script in the DOM or the execution of the alert.

9. Alternative Approaches

• Property Injection: If the plugin uses json_encode but not on the server-side rendering of the length fields, try different breakout characters like " or \u0022.
• Shortcode Injection: If the XSS doesn't trigger in the admin backend but does on the frontend, check the page where the [CP_APPBOOKING] shortcode is placed. The vulnerability might manifest when the frontend JS initializes the validation rules using the stored minlength property.