[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fb5H5BjX_azuJCRfBWXJJo25YQxnEwRaNt_BXszXNavI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-1920","booktics-missing-authorization-to-addon-plugin-installation","Booktics \u003C= 1.0.16 - Missing Authorization to Addon Plugin Installation","The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.","booktics",null,"\u003C=1.0.16","1.0.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authentication for Critical Function","2026-03-09 13:22:01","2026-03-10 02:21:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fab051f4a-030a-44aa-8cbf-665c6c6d31a7?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fbuild\u002Fchunks\u002Fjs\u002F2031.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F4576.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F7492.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F7559.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F8470.js","assets\u002Fbuild\u002Fjs\u002Ffrontend.asset.php","assets\u002Fbuild\u002Fjs\u002Ffrontend.js","assets\u002Fbuild\u002Fjs\u002Fpackages.asset.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-1920 - Booktics Unauthorized Addon Installation\n\n## 1. Vulnerability Summary\nThe **Booktics** plugin (versions \u003C= 1.0.16) contains a missing authorization vulnerability in its REST API implementation. Specifically, the `Extension_Controller::update_item_permissions_check` function fails to implement any capability checks (such as `current_user_can('install_plugins')`). This allows unauthenticated attackers to interact with the extension update endpoint, which triggers the installation of addon plugins.\n\n## 2. Attack Vector Analysis\n*   **REST API Endpoint:** The vulnerability resides in the `Extension_Controller` class, which typically handles routes under the `booktics\u002Fv1` namespace.\n*   **Vulnerable Route:** Likely `POST` or `PUT` requests to `\u002Fwp-json\u002Fbooktics\u002Fv1\u002Fextensions\u002F(?P\u003Cslug>[\\w-]+)`.\n*   **Vulnerable Function:** `Extension_Controller::update_item_permissions_check`.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** The Booktics plugin must be active.\n\n## 3. Code Flow\n1.  An HTTP request is sent to the REST API endpoint: `POST \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fextensions\u002F\u003Caddon-slug>`.\n2.  The WordPress REST API server receives the request and matches it to the `Extension_Controller` routes.\n3.  The server calls the `permission_callback` for the update method: `Extension_Controller::update_item_permissions_check`.\n4.  **Vulnerability Point:** The `update_item_permissions_check` function returns `true` (or lacks a check), granting access to unauthenticated users.\n5.  The server then calls the action callback: `Extension_Controller::update_item`.\n6.  The `update_item` method processes the provided slug and initiates the installation\u002Factivation process for the specified addon.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, there is **missing authentication**, implying the `permission_callback` returns `true` regardless of the user's login status. \n\nIn WordPress REST API architecture:\n*   If a request is sent **without session cookies**, the REST API does not require a `_wpnonce` (`X-WP-Nonce`) header, as there is no session to protect against CSRF.\n*   The API relies solely on the `permission_callback` to authorize the action.\n*   Since `update_item_permissions_check` is broken and returns `true`, an unauthenticated request with no cookies should bypass all security controls.\n\n**No nonce acquisition is required for this exploit.**\n\n## 5. Exploitation Strategy\nThe goal is to trigger the installation of an addon plugin (e.g., the Stripe addon referenced in `assets\u002Fbuild\u002Fchunks\u002Fjs\u002F2031.js`).\n\n### Step 1: Identify the exact REST route\nThe agent should first confirm the available REST routes for the plugin.\n*   **Action:** Use `wp rest route list --regex=\"booktics\"` to find the namespace and extension endpoints.\n*   **Inferred Route:** `booktics\u002Fv1\u002Fextensions\u002F(?P\u003Cslug>[\\w-]+)`\n\n### Step 2: Identify valid addon slugs\nBased on the source files, `stripe` is a valid extension.\n*   **Potential Slugs:** `stripe`, `google-calendar`, `whatsapp`, `subscription`.\n\n### Step 3: Execute the installation request\nSend a `POST` request to the extension endpoint.\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fbooktics\u002Fv1\u002Fextensions\u002Fstripe`\n*   **Headers:** `Content-Type: application\u002Fjson`\n*   **Body:** `{}` (The endpoint likely uses the slug from the URL to determine which plugin to install).\n\n## 6. Test Data Setup\n1.  Install and activate **Booktics** version 1.0.16.\n2.  Ensure no Booktics addons (like Booktics Stripe) are currently installed or active.\n3.  Set the WordPress environment to allow outgoing requests if the plugin fetches addons from an external repository.\n\n## 7. Expected Results\n*   The REST API should return a `200 OK` or `201 Created` status code.\n*   The response body should contain confirmation of the installation or the current status of the extension (e.g., `{\"status\": \"installed\"}`).\n*   A new plugin directory (e.g., `wp-content\u002Fplugins\u002Fbooktics-stripe\u002F`) should be created.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the results using WP-CLI:\n1.  **Check Plugin Directory:**\n    `ls -la \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002F`\n    Confirm if a new addon folder (e.g., `booktics-stripe`) exists.\n2.  **Check Plugin List:**\n    `wp plugin list`\n    Confirm the status of the new addon. It may be installed but inactive, or installed and active depending on the `update_item` logic.\n3.  **Check Plugin Options:**\n    `wp option get booktics_extensions` (inferred option name) to see if the internal state has been updated.\n\n## 9. Alternative Approaches\nIf the `POST` request to `\u002Fextensions\u002F\u003Cslug>` fails:\n1.  **Try different methods:** Some WordPress developers use `GET` for actions that should be `POST`, or require `PUT`. Try `PUT \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fextensions\u002Fstripe`.\n2.  **Try different parameters:** The endpoint might require a specific JSON body, such as `{\"action\": \"install\"}` or `{\"active\": true}`.\n3.  **Discover through WP-CLI:** Use `wp rest route list` to see if there are other endpoints related to \"addons\" or \"modules\" if \"extensions\" is not the correct term used in the final route registration.","gemini-3-flash-preview","2026-04-18 05:14:38","2026-04-18 05:15:07",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.0.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags"]