[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fef0z5k60-Iwrqg5nyGJBmsd63m8Lx5xt-K3DN5Nvlp4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1431","booking-calendar-missing-authorization-to-unauthenticated-booking-details-exposure","Booking Calendar \u003C= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure","The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.","booking",null,"\u003C=10.14.13","10.14.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-01-30 16:06:31","2026-01-31 04:35:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1431 (Booking Calendar)\n\n## 1. Vulnerability Summary\nThe **Booking Calendar** plugin (\u003C= 10.14.13) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function `wpbc_ajax_WPBC_FLEXTIMELINE_NAV()` is registered as an AJAX action accessible to unauthenticated users via `wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV`. The function fails to implement any `current_user_can()` capability checks. Consequently, an unauthenticated attacker can invoke this function to retrieve sensitive booking data, including customer names, email addresses, and phone numbers, which are typically displayed in the \"Flex Timeline\" view.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **HTTP Method:** `POST` (typically used by WordPress AJAX)\n*   **Action:** `WPBC_FLEXTIMELINE_NAV` (Inferred from the function name `wpbc_ajax_WPBC_FLEXTIMELINE_NAV`)\n*   **Parameters:**\n    *   `action`: `WPBC_FLEXTIMELINE_NAV`\n    *   `wpbc_nonce`: (If required, see Nonce Strategy)\n    *   `booking_type`: (Inferred) The resource\u002Fcalendar ID.\n    *   `selected_dates`: (Inferred) Date range for the timeline navigation.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** At least one booking must exist in the system for data exposure to be demonstrable.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` with `action=WPBC_FLEXTIMELINE_NAV`.\n2.  **Hook Registration:** The plugin registers the action (likely in `inc\u002Fjs\u002Fbiz_s.php` or a similar core AJAX file):\n    ```php\n    add_action( 'wp_ajax_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\n    add_action( 'wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\n    ```\n3.  **Vulnerable Function:** `wpbc_ajax_WPBC_FLEXTIMELINE_NAV()` is executed.\n4.  **Data Retrieval:** The function parses date\u002Fnavigation parameters and queries the database (via `$wpdb` or internal booking classes) for bookings falling within the requested range.\n5.  **Sink:** The function returns an HTML or JSON response containing the details of the bookings to populate the timeline UI. Because no capability check (e.g., `current_user_can( 'manage_bookings' )`) is present, the PII is sent to the requester.\n\n## 4. Nonce Acquisition Strategy\nBooking Calendar frequently uses nonces for AJAX actions. If `wp_verify_nonce` or `check_ajax_referer` is present in the vulnerable function, the following strategy should be used:\n\n1.  **Identify the Localization:** The plugin typically localizes AJAX parameters into a global JS object. Based on common versions, look for `wpbc_global_values`.\n2.  **Identify Shortcode:** The Flex Timeline is often rendered via a shortcode like `[bookingtimeline]`.\n3.  **Strategy:**\n    *   **Step 1:** Create a public page containing the timeline shortcode:\n        `wp post create --post_type=page --post_status=publish --post_title=\"Timeline\" --post_content='[bookingtimeline]'`\n    *   **Step 2:** Navigate to the newly created page using `browser_navigate`.\n    *   **Step 3:** Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Search for potential nonce locations in WPBC\n        window.wpbc_global_values?.wpbc_nonce || \n        window.wpbc_ajax_vars?.nonce || \n        document.querySelector('#wpbc_nonce')?.value\n        ```\n4.  **Bypass Check:** If the code uses `check_ajax_referer( 'wpbc-ajax-nonce', 'wpbc_nonce', false )` (with `die=false`) and fails to check the return value, the nonce can be omitted or randomized.\n\n## 5. Exploitation Strategy\nThe exploit will attempt to navigate the \"Flex Timeline\" via the AJAX endpoint to leak booking details.\n\n*   **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Payload (POST Body):**\n    ```\n    action=WPBC_FLEXTIMELINE_NAV\n    &wpbc_nonce=[EXTRACTED_NONCE]\n    &view_days=30\n    &start_date=2025-01-01\n    &resource_id=1\n    ```\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Expected Response:** A successful response will contain HTML table rows or a JSON array. Look for string patterns such as:\n    *   `\"email\":\"...\"`\n    *   `\"phone\":\"...\"`\n    *   `\"name\":\"...\"`\n    *   Or HTML tags containing email addresses (e.g., `mailto:`).\n\n## 6. Test Data Setup\nTo verify the leak, we need existing booking data:\n1.  **Create a Booking Resource:**\n    `wp eval \"$wpdb->insert($wpdb->prefix . 'bookingtypes', ['title' => 'Test Resource', 'users' => 1]);\"`\n2.  **Create a Booking with PII:**\n    Generate a booking for \"John Doe\" with email `victim@example.com` and phone `555-1234`. This can be done via `wp eval` by inserting into the `wp_booking` and `wp_booking_details` tables (table names may vary based on prefix).\n    *   *Note:* It is often easier to use the `[bookingform]` shortcode once to submit a real test booking through the frontend to ensure all relational tables are populated correctly.\n\n## 7. Expected Results\n*   **Success:** The HTTP response body contains the string `victim@example.com` or `555-1234`.\n*   **Status Code:** `200 OK`.\n*   **Data Structure:** The data is likely formatted for a tooltip or a timeline cell, clearly showing customer identity information that should be restricted to administrators.\n\n## 8. Verification Steps\n1.  **Confirm Vulnerability:** Check if the PII in the AJAX response matches the data created in Step 6.\n2.  **Verify Unauthenticated Status:** Ensure the `http_request` does **not** include any `wordpress_logged_in_*` cookies.\n3.  **Database Check:** Use WP-CLI to verify the record exists:\n    `wp db query \"SELECT * FROM wp_booking_details WHERE email='victim@example.com'\"`\n\n## 9. Alternative Approaches\n*   **Action Name Variation:** If `WPBC_FLEXTIMELINE_NAV` fails, search the source code for all `wp_ajax_nopriv_` hooks using:\n    `grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fbooking\u002F`\n*   **Parameter Bruteforce:** If the `resource_id` is unknown, loop through IDs 1-10.\n*   **Date Range:** If no results are returned, expand the `start_date` and `view_days` to cover a wider range (e.g., 365 days).","The Booking Calendar plugin for WordPress fails to implement authorization checks in its Flex Timeline AJAX handler. This allows unauthenticated attackers to invoke the WPBC_FLEXTIMELINE_NAV action and retrieve sensitive customer data, including names, email addresses, and phone numbers, which are typically restricted to administrators.","\u002F\u002F The function is registered for unauthenticated users without capability checks\nadd_action( 'wp_ajax_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\nadd_action( 'wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\n\nfunction wpbc_ajax_WPBC_FLEXTIMELINE_NAV() {\n    \u002F\u002F Function processes requests and returns booking data without verifying user permissions\n    \u002F\u002F ... (logic to fetch bookings based on POST parameters) ...\n    \n    \u002F\u002F Findings are echoed directly into the response\n    echo $booking_details_html;\n    wp_die();\n}","--- a\u002Finc\u002Fjs\u002Fbiz_s.php\n+++ b\u002Finc\u002Fjs\u002Fbiz_s.php\n@@ -1,3 +1,6 @@\n add_action( 'wp_ajax_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\n-add_action( 'wp_ajax_nopriv_WPBC_FLEXTIMELINE_NAV', 'wpbc_ajax_WPBC_FLEXTIMELINE_NAV' );\n \n function wpbc_ajax_WPBC_FLEXTIMELINE_NAV() {\n+    if ( ! current_user_can( 'manage_bookings' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n+    check_ajax_referer( 'wpbc-ajax-nonce', 'wpbc_nonce' );","The exploit targets the WordPress AJAX endpoint to leak booking information. An attacker first identifies a valid nonce (often found in the source code of public pages containing a booking timeline shortcode). They then send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'WPBC_FLEXTIMELINE_NAV', along with parameters defining a date range and resource ID. Because the plugin does not verify if the requester has the 'manage_bookings' capability, the server returns the requested timeline view containing full customer PII (names, emails, and phone numbers).","gemini-3-flash-preview","2026-04-27 17:42:00","2026-04-27 17:43:58",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","10.14.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags\u002F10.14.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking.10.14.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags\u002F10.14.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking.10.14.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags"]