[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcLoCR_WbjMuuNGEQmG1PHAJS3nZaqAzB6hpBdAUZFpc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39525","booking-activities-missing-authorization","Booking Activities \u003C= 1.16.48.1 - Missing Authorization","The Booking Activities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.16.48.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","booking-activities",null,"\u003C=1.16.48.1","1.17.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-13 00:00:00","2026-04-21 14:49:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F18be0679-7083-4189-b3fe-5ec6cd2e6f76?source=api-prod",9,[22,23,24,25,26,27,28,29],"booking-activities.php","controller\u002Fcontroller-booking-system.php","controller\u002Fcontroller-bookings.php","controller\u002Fcontroller-forms.php","controller\u002Fcontroller-i18n.php","controller\u002Fcontroller-settings.php","controller\u002Fcontroller-shortcodes.php","controller\u002Fcontroller-templates.php","researched",false,3,"system.php` again.\n        The function `bookacti_controller_get_booking_system_data_by_interval` is *definitely* missing a nonce.\n        And the CVE description says \"Missing capability check\" (Authorization) not \"Missing Nonce\" (CSRF).\n        The action is likely something in `controller-bookings.php`.\n\n    *   *Hypothesis:* The `wp_ajax_nopriv_bookactiCancelBooking` action was added or the capability check was missing in the `cancel` function.\n\n    *   *Let's look at the CVSS again:* 5.3. Medium.\n        This is consistent with \"anyone can cancel any booking\" (Integrity Low, no Confidentiality or Availability impact usually for a simple cancel).\n\n    *   *Plan for PO-C:*\n        1. Create a booking (to have something to cancel).\n        2. Obtain the `bookacti_cancel_booking` nonce.\n        3. Attempt to cancel the booking as an unauthenticated user.\n\n        *Wait, where is the nonce?*\n        In `booking-activities.php`:\n        `add_action( 'wp_enqueue_scripts', 'bookacti_enqueue_js_variables', 5 );`\n        This calls `bookacti_get_js_variables()`. (Function body not in snippet).\n        I will assume `bookacti_get_js_variables()` includes the `cancel_booking` nonce.\n\n    *   *Wait!","The Booking Activities plugin for WordPress is vulnerable to unauthorized access due to missing capability checks and missing nonce validation on several AJAX handlers. This allow unauthenticated attackers to perform unauthorized actions such as retrieving booking system data and internal booking counts, which could lead to information disclosure or unauthorized interaction with the booking system.","\u002F\u002F controller\u002Fcontroller-booking-system.php (v1.16.48.1)\n\nfunction bookacti_controller_get_booking_system_data_by_interval() {\n\t$atts     = isset( $_POST[ 'attributes' ] ) ? ( is_array( $_POST[ 'attributes' ] ) ? $_POST[ 'attributes' ] : ( is_string( $_POST[ 'attributes' ] ) ? bookacti_maybe_decode_json( stripslashes( $_POST[ 'attributes' ] ), true ) : array() ) ) : array();\n\t$atts     = bookacti_format_booking_system_attributes( $atts );\n\t$interval = isset( $_POST[ 'interval' ] ) ? ( is_array( $_POST[ 'interval' ] ) ? $_POST[ 'interval' ] : ( is_string( $_POST[ 'interval' ] ) ? bookacti_maybe_decode_json( stripslashes( $_POST[ 'interval' ] ), true ) : array() ) ) : array();\n\t$interval = $interval ? bookacti_sanitize_events_interval( $interval ) : array();\n\t\n    \u002F\u002F ... processing ...\n\t\n\t$booking_system_data = bookacti_get_booking_system_data( $atts );\n\t\n    \u002F\u002F ... processing ...\n\n\tbookacti_send_json( array( \n\t\t'status'              => 'success', \n\t\t'booking_system_data' => $public_booking_system_data,\n\t\t'trimmed_period'      => $trimmed_period\n\t), 'get_booking_system_data_by_interval' );\n}\nadd_action( 'wp_ajax_bookactiGetBookingSystemDataByInterval', 'bookacti_controller_get_booking_system_data_by_interval' );\nadd_action( 'wp_ajax_nopriv_bookactiGetBookingSystemDataByInterval', 'bookacti_controller_get_booking_system_data_by_interval' );\n\n---\n\n\u002F\u002F controller\u002Fcontroller-booking-system.php (v1.16.48.1)\n\nfunction bookacti_controller_get_booking_numbers() {\n\t$template_ids  = isset( $_POST[ 'template_ids' ] ) ? bookacti_ids_to_array( $_POST[ 'template_ids' ] ) : array();\n\t$groups_data   = isset( $_POST[ 'groups_data' ] ) && is_array( $_POST[ 'groups_data' ] ) ? $_POST[ 'groups_data' ] : array();\n\t$groups_events = isset( $_POST[ 'groups_events' ] ) && is_array( $_POST[ 'groups_events' ] ) ? $_POST[ 'groups_events' ] : array();\n\t$groups        = array( 'data' => $groups_data, 'groups' => $groups_events );\n\t\n\t$bookings_nb_per_event = bookacti_get_number_of_bookings_per_event( array( 'templates' => $template_ids ) );\n\tif( ! $bookings_nb_per_event ) { bookacti_send_json( array( 'status' => 'no_bookings' ), 'get_booking_numbers' ); }\n\t\n\t$bookings_nb_per_group = bookacti_get_number_of_bookings_per_group_of_events( $groups );\n\t\n\tbookacti_send_json( array( 'status' => 'success', 'bookings' => $bookings_nb_per_event, 'groups_bookings' => $bookings_nb_per_group ), 'get_booking_numbers' );\n}\nadd_action( 'wp_ajax_bookactiGetBookingNumbers', 'bookacti_controller_get_booking_numbers' );\nadd_action( 'wp_ajax_nopriv_bookactiGetBookingNumbers', 'bookacti_controller_get_booking_numbers' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-activities\u002F1.16.48.1\u002Fbooking-activities.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-activities\u002F1.17.0\u002Fbooking-activities.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-activities\u002F1.16.48.1\u002Fbooking-activities.php\t2026-03-05 10:46:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-activities\u002F1.17.0\u002Fbooking-activities.php\t2026-03-05 16:06:20.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: Booking Activities\n  * Plugin URI: https:\u002F\u002Fbooking-activities.fr\u002Fen\u002F?utm_source=plugin&utm_medium=plugin&utm_content=header\n  * Description: Booking system specialized in activities (sports, cultural, leisure, events...). Works great with WooCommerce.\n- * Version: 1.16.48.1\n+ * Version: 1.17.0\n  * Author: Booking Activities Team\n  * Author URI: https:\u002F\u002Fbooking-activities.fr\u002Fen\u002F?utm_source=plugin&utm_medium=plugin&utm_content=header\n  * Text Domain: booking-activities\n@@ -42,7 +42,7 @@\n \n \n \u002F\u002F GLOBALS AND CONSTANTS\n-if( ! defined( 'BOOKACTI_VERSION' ) )     { define( 'BOOKACTI_VERSION', '1.16.48.1' ); }\n+if( ! defined( 'BOOKACTI_VERSION' ) )     { define( 'BOOKACTI_VERSION', '1.17.0' ); }\n if( ! defined( 'BOOKACTI_PLUGIN_NAME' ) ) { define( 'BOOKACTI_PLUGIN_NAME', 'booking-activities' ); }\n if( ! defined( 'BOOKACTI_PATH' ) )        { define( 'BOOKACTI_PATH', __DIR__ ); }","To exploit this vulnerability, an unauthenticated attacker can directly interact with the plugin's AJAX handlers. \n\n1. Locate the WordPress AJAX endpoint at `wp-admin\u002Fadmin-ajax.php`.\n2. Construct a POST request with the `action` parameter set to one of the vulnerable functions, such as `bookactiGetBookingSystemDataByInterval` or `bookactiGetBookingNumbers`.\n3. Include the expected parameters in the POST body, such as `attributes` (JSON\u002Farray) or `template_ids[]`. \n4. Since these functions are registered with the `wp_ajax_nopriv_` hook and lack `check_ajax_referer` (nonce validation) and `current_user_can` (capability checks) in the vulnerable versions, the request will be processed regardless of the user's authentication status.\n5. The server will return a JSON response containing internal booking data, event intervals, or booking counts associated with the provided IDs.","gemini-3-flash-preview","2026-04-27 15:03:51","2026-04-27 15:04:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.16.48.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-activities\u002Ftags\u002F1.16.48.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-activities.1.16.48.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-activities\u002Ftags\u002F1.17.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-activities.1.17.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-activities\u002Ftags"]