[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxHt3eBLK8MNmvN0ro5-lxNyl5tt9xEWRNkgxT4XeGos":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-23972","booking-and-rental-manager-for-bike-car-resort-appointment-dress-equipment-missing-authorization","Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment \u003C= 2.6.0 - Missing Authorization","The Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","booking-and-rental-manager-for-woocommerce",null,"\u003C=2.6.0","2.6.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-23 00:00:00","2026-04-02 15:03:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F501be94e-c01a-43bd-b079-c11e60969def?source=api-prod",11,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-23972**, a missing authorization vulnerability in the **Booking and Rental Manager for WooCommerce** plugin.\n\n### 1. Vulnerability Summary\nThe \"Booking and Rental Manager for WooCommerce\" plugin (versions \u003C= 2.6.0) fails to perform adequate capability checks on one or more of its AJAX handlers. This allows an authenticated user with Subscriber-level permissions to trigger administrative actions. The vulnerability likely exists within a function registered via the `wp_ajax_` hook that performs sensitive operations (like updating plugin settings or modifying bookings) but lacks a `current_user_can( 'manage_options' )` check.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Authentication:** Authenticated, Subscriber-level (PR:L).\n* **Action (Inferred):** Likely `inventory_save_settings_data` or `redq_rental_save_settings`.\n* **Preconditions:** The attacker must be logged in as a Subscriber and obtain a valid AJAX nonce if one is required for the specific handler.\n\n### 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers AJAX actions in its main class or an AJAX handler class (e.g., `includes\u002Fadmin\u002Fclass-inventory-admin-ajax.php` or similar).\n * *Code:* `add_action( 'wp_ajax_inventory_save_settings_data', 'inventory_save_settings_data_callback' );`\n2. **Missing Check:** The callback function `inventory_save_settings_data_callback` is executed. It might call `check_ajax_referer()` to verify a nonce (preventing CSRF) but fails to call `current_user_can()`.\n3. **Sink:** The function proceeds to update the database using `update_option()` or `$wpdb->update()`, allowing the subscriber to modify plugin configurations.\n\n### 4. Nonce Acquisition Strategy\nTo bypass CSRF protections, we must find where the plugin localizes its AJAX nonce.\n\n1. **Identify Shortcode:** Search for shortcodes that might enqueue the necessary scripts: `grep -r \"add_shortcode\" .`. Likely candidates: `[rental_products]` or `[inventory_list]`.\n2. **Create Test Page:**\n ```bash\n wp post create --post_type=page --post_status=publish --post_title=\"Nonce Extraction\" --post_content='[rental_products]'\n ```\n3. **Find Localization Variable:** Search the source for `wp_localize_script`.\n * *Likely JS object:* `inventory_ajax` or `rb_booking_params`.\n * *Likely key:* `nonce` or `security`.\n4. **Extract via Browser:**\n Navigate to the created page as a Subscriber and run:\n ```javascript\n \u002F\u002F Example: Using inventory_ajax object\n browser_eval(\"window.inventory_ajax?.nonce || window.inventory_ajax?.security\")\n ```\n\n### 5. Exploitation Strategy\nWe will attempt to modify a global plugin setting that should be restricted to administrators.\n\n**Target Action:** `inventory_save_settings_data` (or the specific action found during discovery).\n\n**Payload Construction:**\n* **URL:** `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body Parameters:**\n * `action`: `inventory_save_settings_data`\n * `security`: `[EXTRACTED_NONCE]`\n * `inventory_settings[general][any_setting]`: `malicious_value` (We will first check existing settings using WP-CLI to find a valid key).\n\n**HTTP Request (via `http_request` tool):**\n```json\n{\n \"method\": \"POST\",\n \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n \"data\": \"action=inventory_save_settings_data&security=NONCE_VALUE&settings[general_settings][allow_booking_without_payment]=yes\",\n \"headers\": {\n \"Content-Type\": \"application\u002Fx-www-form-urlencoded\",\n \"Cookie\": \"[SUBSCRIBER_COOKIES]\"\n }\n}\n```\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure version 2.6.0 is installed.\n2. **Create Subscriber:** `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n3. **Identify Settings Structure:** Run `wp option get inventory_settings` (or similar option name found in code) to identify the settings array structure to target.\n4. **Publish Page:** Create a page with the plugin's shortcode to ensure scripts (and nonces) are loaded for the subscriber.\n\n### 7. Expected Results\n* The `admin-ajax.php` response should be a `200 OK` (often returning `1` or a JSON success message).\n* The plugin configuration in the database should be updated despite the request coming from a Subscriber.\n\n### 8. Verification Steps\n1. **Check Option Value:** Use WP-CLI to verify the change:\n ```bash\n wp option get inventory_settings\n ```\n2. **Manual Check:** Log in as Admin and navigate to the plugin settings page to see if the value has changed in the UI.\n\n### 9. Alternative Approaches\nIf the settings update is protected but another handler is not:\n* **User Meta Update:** Check if there are AJAX handlers like `update_user_booking_profile` that allow updating meta for any user ID without verifying if the user is an admin or the owner of the profile.\n* **Booking Deletion:** Look for `wp_ajax_delete_booking` or similar. Attempt to delete an order\u002Fbooking ID that does not belong to the subscriber.\n * *Payload:* `action=delete_rental_booking&booking_id=1&security=NONCE`\n* **Information Disclosure:** Look for AJAX handlers that return booking details (e.g., `get_booking_details`) without checking if the user is an admin or the customer who made the booking.","The Booking and Rental Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access in versions up to 2.6.0 due to missing capability checks in AJAX handlers. This allows authenticated attackers with subscriber-level permissions to perform administrative actions such as modifying plugin settings or deleting bookings.","\u002F\u002F From includes\u002Fadmin\u002Fclass-inventory-admin-ajax.php (inferred from research plan)\nadd_action( 'wp_ajax_inventory_save_settings_data', 'inventory_save_settings_data_callback' );\n\nfunction inventory_save_settings_data_callback() {\n check_ajax_referer( 'inventory_settings_nonce', 'security' );\n \u002F\u002F Missing current_user_can( 'manage_options' ) check here\n\n if ( isset( $_POST['settings'] ) ) {\n update_option( 'inventory_settings', $_POST['settings'] );\n wp_send_json_success();\n }\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-inventory-admin-ajax.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-inventory-admin-ajax.php\n@@ -10,6 +10,10 @@\n function inventory_save_settings_data_callback() {\n check_ajax_referer( 'inventory_settings_nonce', 'security' );\n \n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_send_json_error( array( 'message' => __( 'Unauthorized', 'booking-and-rental-manager-for-woocommerce' ) ) );\n+ }\n+\n if ( isset( $_POST['settings'] ) ) {\n update_option( 'inventory_settings', $_POST['settings'] );","The exploit target is the admin-ajax.php endpoint via a subscriber-level account. First, the attacker must obtain a valid AJAX nonce by visiting a front-end page where the plugin localizes its scripts (typically enqueued via shortcodes like [rental_products]). Once the nonce (e.g., from the inventory_ajax JavaScript object) is retrieved, the attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'inventory_save_settings_data' (or another vulnerable handler). The payload includes the valid nonce in the 'security' field and malicious configuration data in the 'settings' or 'inventory_settings' array, effectively overwriting the plugin's global options despite the attacker's low privilege level.","gemini-3-flash-preview","2026-04-18 00:10:29","2026-04-18 00:10:50",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-and-rental-manager-for-woocommerce\u002Ftags"]