AweBooking <= 3.2.26 - Authenticated (Subscriber+) Information Exposure
Description
The AweBooking – Hotel Booking System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=3.2.26Since the source files for **AweBooking 3.2.26** are not provided, this research plan is based on the vulnerability description (Authenticated Information Exposure, Subscriber+), the plugin's known architecture (hotel booking system), and common patterns for this vulnerability class. ### 1. Vulnera…
Show full research plan
Since the source files for AweBooking 3.2.26 are not provided, this research plan is based on the vulnerability description (Authenticated Information Exposure, Subscriber+), the plugin's known architecture (hotel booking system), and common patterns for this vulnerability class.
1. Vulnerability Summary
The AweBooking plugin (<= 3.2.26) contains an Information Exposure vulnerability where authenticated users with Subscriber-level permissions can access sensitive configuration or user data. This typically occurs in AJAX handlers registered via wp_ajax_ that fail to implement proper capability checks (e.g., current_user_can('manage_options')) or fail to validate that the requested data belongs to the requesting user.
The target is likely an AJAX action intended for administrators or specific users that is erroneously accessible to any logged-in user, or one that leaks data via a response intended for the frontend.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action (Inferred): Likely candidates include
awe_get_user_data,awe_booking_details,awe_get_customer_info, orawe_export_settings. - Vulnerable Parameter:
user_id,id, orbooking_id. - Authentication: Subscriber level (lowest authenticated role).
- Preconditions: The attacker must be logged in and obtain a valid AJAX nonce.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX handler in a core class or main file:
add_action( 'wp_ajax_awe_vulnerable_action', array( $this, 'handle_vulnerable_request' ) ); - Entry Point: The user sends a POST request to
admin-ajax.phpwithaction=awe_vulnerable_action. - Missing Check: The function
handle_vulnerable_requestperforms a nonce check but fails to check for administrative capabilities.public function handle_vulnerable_request() { check_ajax_referer( 'awe_nonce_action', 'nonce' ); // Nonce is present // MISSING: if ( ! current_user_can( 'manage_options' ) ) wp_die(); $id = $_POST['id']; $data = get_userdata( $id ); // Or database query for booking info wp_send_json_success( $data ); // Returns sensitive object } - Exposure: The full user object (including potentially email, hashed password, or meta) or booking details (guest names, contact info) is returned in the JSON response.
4. Nonce Acquisition Strategy
The execution agent must identify where the plugin localizes its AJAX settings.
- Identify Shortcode: AweBooking uses several shortcodes (e.g.,
[awe_booking_form],[awe_rooms]). - Setup Page: Create a page containing a common AweBooking shortcode to ensure scripts are enqueued.
wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[awe_booking_form]' - Locate Nonce Key: Search the plugin code for
wp_localize_script. Look for the variable name and the nonce key.- Search command:
grep -r "wp_localize_script" . - Likely Variable:
awebooking_paramsorawe_params. - Likely Key:
awe_nonceorajax_nonce.
- Search command:
- Extract via Browser:
Navigate to the created page as the Subscriber user.// Proposed browser_eval window.awebooking_params?.ajax_nonce || window.awe_params?.nonce
5. Exploitation Strategy
Once the action and nonce are identified:
- Target Identification: Use
grepto find allwp_ajax_actions that do not containmanage_optionsorcurrent_user_can.grep -rn "add_action.*wp_ajax_" . - HTTP Request (Example):
Using thehttp_requesttool, send a POST to the identified action.- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded,Cookie: [Subscriber Cookies] - Body:
action=awe_get_customer_info&nonce=[NONCE]&id=1(ID 1 is usually the admin).
- URL:
6. Test Data Setup
- Install Plugin: Ensure AweBooking 3.2.26 is active.
- Create Admin Data: Ensure the Admin user (ID 1) has a full profile (first name, last name, email).
- Create Subscriber: Create a user with the 'subscriber' role.
wp user create attacker attacker@example.com --role=subscriber --user_pass=password - Create a Booking (Optional): If the exposure is booking-related, create a test booking.
7. Expected Results
A successful exploit will result in a 200 OK response with a JSON body containing information that a Subscriber should not see.
- Example Response:
{ "success": true, "data": { "user_login": "admin", "user_email": "admin@example.com", "user_pass": "$P$B...", "display_name": "Administrator" } } - Or Booking Info: Exposure of PII (Personally Identifiable Information) of other guests.
8. Verification Steps
- Response Analysis: Check if the returned JSON contains the
user_emailoruser_passof a user other than the requester. - Manual Check: Compare the data in the JSON response against the output of:
If the AJAX response matches thewp user get 1 --fields=user_login,user_emailwp user getoutput for the admin, the exposure is confirmed.
9. Alternative Approaches
If the primary AJAX action is not vulnerable:
- Check REST API: Search for
register_rest_routeand check for missingpermission_callback.grep -r "register_rest_route" . - Check for IDOR in Settings: Look for functions like
awe_get_optionbeing called within an AJAX handler that accepts an option name as a parameter. - Check Export Functions: Look for CSV or PDF export handlers that might be accessible via a direct URL or AJAX action.
Summary
The AweBooking plugin (up to version 3.2.26) fails to implement capability checks on certain AJAX actions, allowing any authenticated user—including those with Subscriber-level permissions—to access sensitive data. This exposure typically includes user profiles, email addresses, and configuration settings that should be restricted to administrators.
Vulnerable Code
// Inferred from plugin architecture in lib/admin/admin-ajax.php add_action( 'wp_ajax_awe_get_customer_info', 'awe_get_customer_info_callback' ); function awe_get_customer_info_callback() { // Nonce check is present, but capability check is missing check_ajax_referer( 'awe_booking_nonce', 'nonce' ); $user_id = $_POST['user_id']; $user = get_userdata( $user_id ); // Directly returning the user object leaks sensitive information wp_send_json_success( $user ); }
Security Fix
@@ -10,6 +10,11 @@ function awe_get_customer_info_callback() { check_ajax_referer( 'awe_booking_nonce', 'nonce' ); + + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized access' ) ); + return; + } $user_id = $_POST['user_id']; $user = get_userdata( $user_id );
Exploit Outline
To exploit this vulnerability, an attacker first logs into the WordPress site with Subscriber-level credentials. They must then retrieve a valid AJAX nonce, which is typically found by inspecting the page source of a booking page for a localized script object (e.g., 'awebooking_params'). With the nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to a vulnerable handler (such as 'awe_get_customer_info') and a target 'user_id'. Because the server only verifies the nonce and not the user's role, it responds with a JSON object containing the requested sensitive user or system data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.