[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9u3VPPeUSN7xBBE57fiXyCZx3t7gSbRkodvTTfqzZxE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2025-12573","bookingor-missing-authorization-2","Bookingor \u003C= 1.0.12 - Missing Authorization","The Bookingor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","bookingor",null,"\u003C=1.0.12","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-20 00:00:00","2026-01-27 19:14:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7f7e3198-39bb-4f56-ace0-dc835a435ce4?source=api-prod",[],"researched",false,3,"This research plan focuses on identifying and exploiting a **Missing Authorization** vulnerability in the **Bookingor** plugin (\u003C= 1.0.12). \n\nSince specific source files were not provided, the plan is designed to guide an automated agent through a systematic discovery and exploitation process based on the known vulnerability type (authenticated unauthorized action).\n\n---\n\n### 1. Vulnerability Summary\nThe Bookingor plugin fails to implement proper capability checks (e.g., `current_user_can()`) on one or more AJAX handlers. This allows any authenticated user, such as a **Subscriber**, to execute administrative functions. Typical impacts in booking plugins include modifying appointments, deleting schedules, or changing plugin settings.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** An AJAX hook registered via `wp_ajax_{action_name}`.\n*   **Parameter:** Typically `action` plus specific data parameters (e.g., `id`, `settings`, `booking_id`).\n*   **Authentication:** Authenticated (Subscriber level).\n*   **Preconditions:** The attacker must have a valid session cookie for a Subscriber-level account.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX hook in its main class or an AJAX-specific class: `add_action('wp_ajax_bookingor_...', 'handler_function_name');`.\n2.  **Lack of Authorization:** The `handler_function_name` contains logic to modify the database or plugin state but does **not** call `current_user_can('manage_options')` or an equivalent check.\n3.  **Potential CSRF Check:** The function may or may not call `check_ajax_referer()`. If it does, a nonce must be obtained.\n4.  **Sink:** The function interacts with `$wpdb` or `update_option()` to perform the unauthorized action.\n\n### 4. Nonce Acquisition Strategy\nIf the target AJAX handler requires a nonce, it is likely localized for the WordPress dashboard or specific frontend pages.\n\n1.  **Identify Potential Nonces:** Use `grep -r \"wp_create_nonce\" .` to find nonce action strings.\n2.  **Identify Localization:** Search for `wp_localize_script` to see how nonces are passed to the JS context. Look for variable names like `bookingor_ajax_obj` or `bookingor_params`.\n3.  **Extraction:**\n    *   **Action:** Create a subscriber user and log in.\n    *   **Method:** Navigate to the plugin's frontend booking page or the Subscriber's dashboard.\n    *   **Execution:** Use `browser_eval` to extract the nonce:\n        ```javascript\n        \u002F\u002F Example (inferred variable name)\n        window.bookingor_ajax?.nonce || window.bookingor_params?.nonce\n        ```\n\n### 5. Exploitation Strategy\nThe agent will first identify the specific vulnerable action and then execute it as a Subscriber.\n\n**Step 1: Identify the Vulnerable Action**\nSearch the plugin code for `wp_ajax_` hooks that do not contain `current_user_can`.\n```bash\ngrep -r \"wp_ajax_\" . | cut -d \":\" -f 1 | xargs grep -L \"current_user_can\"\n```\n*Look for actions like `bookingor_save_settings`, `bookingor_delete_appointment`, or `bookingor_update_status`.*\n\n**Step 2: Construct the Payload**\nIf a settings update action is found (e.g., `bookingor_save_general_settings`), the payload would look like this:\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    action=bookingor_save_settings&nonce=[NONCE]&option_name=users_can_register&option_value=1\n    ```\n    *(Note: The exact parameters depend on the handler's logic discovered in Step 1).*\n\n### 6. Test Data Setup\n1.  **Create Subscriber:** `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n2.  **Create Booking (if needed):** If the vulnerability involves modifying bookings, create one first via WP-CLI or the admin interface.\n3.  **Identify Shortcode:** `grep -r \"add_shortcode\" .`\n4.  **Create Page:** `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content=\"[bookingor_calendar]\"` (inferred shortcode).\n\n### 7. Expected Results\n*   **Success Response:** The server returns a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **State Change:** A setting in `wp_options` is changed, a booking is deleted, or a new user is created\u002Fmodified, which should have been restricted to administrators.\n\n### 8. Verification Steps\n1.  **Check Settings:** If the exploit targeted settings: `wp option get [option_name]`.\n2.  **Check Database:** If the exploit modified bookings: `wp db query \"SELECT * FROM wp_bookingor_bookings WHERE id=[ID]\"` (table name inferred).\n3.  **Check Capabilities:** If the exploit modified user roles: `wp user get attacker --field=roles`.\n\n### 9. Alternative Approaches\n*   **Unauthenticated Check:** If the plugin uses `wp_ajax_nopriv_` for a sensitive action, try the exploit without any authentication.\n*   **Blind Exploitation:** If the action triggers an export or email, check for file creation in `wp-content\u002Fuploads\u002F` or use an out-of-band listener if SSRF is suspected within the unauthorized action.\n*   **Global Options:** Look for actions that use `update_option()` with user-supplied keys, which could lead to a full site takeover by enabling registration and setting the default role to administrator.","The Bookingor plugin for WordPress is vulnerable to unauthorized access in versions up to, and including, 1.0.12 due to missing capability checks on its AJAX handlers. This allow authenticated attackers with subscriber-level permissions to perform administrative actions, such as modifying plugin settings or managing booking data.","To exploit this vulnerability, an attacker first logs into the WordPress site with subscriber-level privileges. They must identify a sensitive AJAX action registered via a `wp_ajax_` hook that lacks a `current_user_can()` check. After obtaining a valid security nonce (typically found in localized script variables like `bookingor_params.nonce`), the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` containing the vulnerable `action` and the desired payload parameters to modify settings or manipulate data.","gemini-3-flash-preview","2026-05-05 05:22:14","2026-05-05 05:22:31",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookingor\u002Ftags"]