Booking Ultra Pro <= 1.1.23 - Authenticated (Subscriber+) Information Exposure
Description
The Booking Ultra Pro Appointments Booking Calendar Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.23. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=1.1.23Since source files were not provided for **Booking Ultra Pro <= 1.1.23**, this plan is based on the vulnerability description, common patterns in this plugin's architecture, and standard WordPress security research methodologies. **Identifiers marked with (inferred) must be verified by the agent dur…
Show full research plan
Since source files were not provided for Booking Ultra Pro <= 1.1.23, this plan is based on the vulnerability description, common patterns in this plugin's architecture, and standard WordPress security research methodologies. Identifiers marked with (inferred) must be verified by the agent during the initial discovery phase.
1. Vulnerability Summary
The Booking Ultra Pro plugin is vulnerable to Information Exposure via insecurely protected AJAX or REST API endpoints. Authenticated users with Subscriber-level permissions can trigger specific actions that return sensitive data—such as full user lists (including emails/phone numbers), plugin configuration (potentially including API keys), or internal system paths—because the plugin fails to implement proper capability checks (current_user_can) on these administrative functions.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Vulnerable Action (Inferred):
bup_get_staff_list,bup_get_clients, orbup_export_settings. - Authentication: Subscriber level (
PR:L). - Payload Parameter:
action,security(nonce), and potentiallytypeorid. - Preconditions: The attacker must be logged in as a Subscriber.
3. Code Flow (Discovery Logic)
The agent should trace the following path to confirm the vulnerability:
- Entry Point: Search for AJAX registrations in the plugin folder (likely
classes/oradmin/directories).grep -rn "wp_ajax_" .
- Identify Weak Handlers: Look for functions registered with
wp_ajax_but notwp_ajax_nopriv_. - Audit Capabilities: Examine the callback function for each handler.
- Vulnerable Pattern: The function uses
check_ajax_referer(...)but lacksif ( ! current_user_can( 'manage_options' ) ) { wp_die(); }.
- Vulnerable Pattern: The function uses
- Sink (Data Exposure): Identify where
$wpdb->get_resultsorget_optionis called and immediately returned as JSON.- Target: Queries fetching from
{$wpdb->prefix}usersor{$wpdb->prefix}booking_ultra_pro_...tables.
- Target: Queries fetching from
4. Nonce Acquisition Strategy
The plugin likely localizes a nonce for its AJAX requests.
- Identify Localization: Search for
wp_localize_script.grep -rn "wp_localize_script" .- Look for a variable like
bup_ajax_obj(inferred) orbooking_ultra_params(inferred).
- Determine Script Placement: Find which page enqueues the script containing the nonce. It is likely the main booking page or the user profile page.
- Execution:
- Create a test page with the booking shortcode:
[booking_ultra_pro](inferred). - Navigate to this page as a Subscriber.
- Use
browser_evalto extract the nonce:// Example: Adjust based on actual localized object found in step 1 window.bup_ajax_obj?.nonce || window.booking_ultra_params?.security
- Create a test page with the booking shortcode:
5. Exploitation Strategy
Once the action name and nonce are identified:
- Setup: Ensure a Subscriber user is created and logged in.
- Request: Use
http_requestto call the vulnerable AJAX action. - Target Action:
bup_get_all_users(inferred - verify via grep).
HTTP Request Template:
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Replace [ACTION_NAME] with the specific handler found in Discovery, e.g.,action=[ACTION_NAME]&security=[NONCE_VALUE]&query_type=allbup_fetch_staff.)
6. Test Data Setup
To demonstrate "Sensitive Information Exposure," the environment must contain sensitive data to expose:
- Users: Create multiple users with different roles (Admin, Editor) and fill their profiles with dummy "sensitive" data (phone numbers in metadata).
wp user create staff_member staff@example.com --role=editor --user_pass=passwordwp user填 meta set [ID] phone_number "555-0199"
- Shortcode Page:
wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[booking_ultra_pro]'
7. Expected Results
- Successful Exploit: The server returns a
200 OKresponse with a JSON body containing a list of users, their emails, and potentially metadata (phone numbers, addresses) that should only be visible to administrators. - Vulnerability Confirmation: A Subscriber (who should not have access to the full user list) successfully receives data belonging to other users.
8. Verification Steps
- Verify via CLI: Compare the JSON output from the
http_requestwith the actual user database:wp user list --fields=ID,user_email,display_name
- Check Sensitivity: Confirm if the JSON output includes the
user_pass(hash) oruser_emailof the Administrator.
9. Alternative Approaches
If the AJAX action is not bup_get_staff_list, check for:
- Settings Exposure: Action
bup_get_settings. Look for responses containingstripe_api_keyorpaypal_email. - Debug/Log Exposure: Search for actions that return file contents, such as
bup_view_log. - REST API: If AJAX is secure, check
register_rest_routecalls. Look for routes in thebup/v1namespace (inferred) that lack apermission_callbackor use__return_true.
Summary
The Booking Ultra Pro plugin for WordPress is vulnerable to Information Exposure via its AJAX handlers because it fails to perform capability checks. This allows authenticated users with Subscriber-level access to retrieve sensitive data such as user lists, emails, phone numbers, and plugin configuration details by calling administrative AJAX actions.
Vulnerable Code
// Inferred from research plan: Typical vulnerable handler pattern in classes/ or admin/ directories add_action('wp_ajax_bup_get_staff_list', 'bup_get_staff_list_callback'); function bup_get_staff_list_callback() { // Vulnerability: Only checks nonce, missing current_user_can check check_ajax_referer('bup_ajax_nonce', 'security'); global $wpdb; // Fetches sensitive data directly without checking if the user is an administrator $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}users"); echo json_encode($results); wp_die(); }
Security Fix
@@ -5,6 +5,11 @@ function bup_get_staff_list_callback() { check_ajax_referer('bup_ajax_nonce', 'security'); + if (!current_user_can('manage_options')) { + wp_send_json_error('Unauthorized'); + wp_die(); + } + global $wpdb; $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}users");
Exploit Outline
To exploit this vulnerability, an attacker first logs in as a Subscriber. They navigate to a page containing a plugin shortcode (like [booking_ultra_pro]) to extract an AJAX nonce from the localized JavaScript objects (e.g., bup_ajax_obj). Using this nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to a sensitive function like 'bup_get_staff_list' or 'bup_get_clients' and the 'security' parameter set to the extracted nonce. If successful, the server returns a JSON payload containing sensitive information such as user email addresses, phone numbers, or configuration settings that should be restricted to administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.