[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRaN_7VG43sPk4soDZNZpbvqkzscw8i8nPsoFUiew4Nw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1919","booktics-missing-authorization-to-get-items-via-rest-api-endpoints","Booktics \u003C= 1.0.16 - Missing Authorization to Get Items via REST API endpoints","The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.","booktics",null,"\u003C=1.0.16","1.0.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authentication for Critical Function","2026-03-09 13:22:08","2026-03-10 02:21:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc88dcf62-4b6c-4ff0-8530-5aefd54bd347?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fbuild\u002Fchunks\u002Fjs\u002F2031.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F4576.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F7492.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F7559.js","assets\u002Fbuild\u002Fchunks\u002Fjs\u002F8470.js","assets\u002Fbuild\u002Fjs\u002Ffrontend.asset.php","assets\u002Fbuild\u002Fjs\u002Ffrontend.js","assets\u002Fbuild\u002Fjs\u002Fpackages.asset.php","researched",false,3,"# Vulnerability Analysis: CVE-2026-1919 - Booktics Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Booktics – Booking Calendar for Appointments and Service Businesses** plugin (versions \u003C= 1.0.16) is vulnerable to unauthorized data disclosure. The issue resides in multiple REST API endpoints registered under the `booktics\u002Fv1` namespace. These endpoints fail to implement proper `permission_callback` logic, or explicitly use `__return_true`, allowing unauthenticated users to query sensitive information such as staff details, customer lists, and booking records that should be restricted to administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint Namespace:** `booktics\u002Fv1` (inferred from plugin slug and standard REST patterns).\n- **Vulnerable Endpoints:**\n    - `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fstaff`\n    - `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fcustomers`\n    - `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fservices`\n    - `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fappointments`\n    - `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fsettings`\n- **Authentication:** None required (Unauthenticated).\n- **Preconditions:** The REST API must be enabled (default in WordPress). Some data (staff, services) must exist in the database to demonstrate sensitive exposure.\n\n## 3. Code Flow\nWhile the PHP source code for the REST registration is not provided, the logic flow in vulnerable versions of Booktics typically follows this pattern:\n\n1. **Initialization:** The plugin hooks into `rest_api_init`.\n2. **Registration:** `register_rest_route('booktics\u002Fv1', '\u002F[endpoint]', ...)` is called.\n3. **Flaw:** The `'permission_callback'` argument is either:\n    - Missing entirely (defaults to authorized in some environments, though WP typically warns).\n    - Set to `__return_true`.\n    - Set to a function that only checks for a nonce but not for administrative capabilities.\n4. **Execution:** The controller method (e.g., `get_items`) queries the database (likely using `$wpdb` or a repository class) and returns the full dataset as a JSON response to the unauthenticated requester.\n\n## 4. Nonce Acquisition Strategy\nBecause this is a **Missing Authorization** vulnerability on **GET** requests to the REST API, WordPress does not typically require a nonce for unauthenticated access to public-facing REST routes.\n\nHowever, if the plugin's frontend scripts (like `assets\u002Fbuild\u002Fjs\u002Ffrontend.js`) use nonces for REST requests, they are likely localized. \n\n**Verification Method:**\n1. Create a page with the Booktics booking shortcode (usually `[booktics-booking]` or similar, inferred from plugin name).\n2. Navigate to the page.\n3. Check `window.booktics` or localized variables.\n\n**Localized Variable (Inferred from JS source):**\nThe JS chunks (e.g., `2031.js`) reference `window?.booktics?.components`. It is highly likely that the localization key is `booktics`.\n- **Target Variable:** `window.booktics_data` or `window.booktics_settings`.\n- **Extraction:** `browser_eval(\"window.booktics?.rest_nonce\")` or `browser_eval(\"window.booktics_settings?.nonce\")`.\n\n*Note: For a \"Missing Authorization\" vulnerability on GET endpoints, a nonce is usually unnecessary if the endpoint is simply \"open\".*\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate unauthenticated access to sensitive data.\n\n### Step 1: Discover Active Routes\nSince the exact endpoint names are not in the provided source chunks, use the automated agent's ability to list REST routes.\n- **Action:** Execute `wp rest route list --format=json` via the CLI to confirm the exact paths under `booktics\u002Fv1`.\n\n### Step 2: Unauthenticated Data Extraction\nAttempt to fetch sensitive data using the `http_request` tool.\n\n**Request 1: Extract Staff Information**\n- **Method:** `GET`\n- **URL:** `\u002Fwp-json\u002Fbooktics\u002Fv1\u002Fstaff`\n- **Headers:** `Accept: application\u002Fjson`\n\n**Request 2: Extract Customer Information**\n- **Method:** `GET`\n- **URL:** `\u002Fwp-json\u002Fbooktics\u002Fv1\u002Fcustomers`\n- **Headers:** `Accept: application\u002Fjson`\n\n**Request 3: Extract Plugin Settings (Sensitive Keys)**\n- **Method:** `GET`\n- **URL:** `\u002Fwp-json\u002Fbooktics\u002Fv1\u002Fsettings`\n- **Headers:** `Accept: application\u002Fjson`\n\n## 6. Test Data Setup\nTo confirm the vulnerability, the environment must contain data.\n1. **Activate Plugin:** Ensure `booktics` is active.\n2. **Add Staff:** Use WP-CLI or the UI to add a dummy staff member.\n   ```bash\n   # (Inferred table names, verify with wp db tables)\n   wp db query \"INSERT INTO wp_booktics_staff (full_name, email, phone) VALUES ('Vulnerable Staff', 'staff@example.com', '555-0199');\"\n   ```\n3. **Add Customer:** \n   ```bash\n   wp db query \"INSERT INTO wp_booktics_customers (full_name, email) VALUES ('Secret Customer', 'customer@victim.com');\"\n   ```\n\n## 7. Expected Results\n- **Success Criteria:** The `http_request` returns a `200 OK` status code and a JSON body containing the staff\u002Fcustomer\u002Fsetting details.\n- **Data Exposed:** \n    - Full names, email addresses, and phone numbers of staff members.\n    - Full names and emails of customers.\n    - Potential Stripe configuration (as seen in `assets\u002Fbuild\u002Fchunks\u002Fjs\u002F2031.js`, the plugin handles `stripe_publishable_key` and `stripe_secret_key`).\n\n## 8. Verification Steps\n1. **Response Check:** Inspect the JSON output from the `http_request` tool.\n2. **Compare with Database:** Verify the returned JSON matches the records inserted during the **Test Data Setup**.\n   ```bash\n   wp db query \"SELECT * FROM wp_booktics_staff;\"\n   ```\n3. **Permission Check:** Confirm that if you attempt the same request on a patched version (1.0.17), it returns `401 Unauthorized` or `403 Forbidden`.\n\n## 9. Alternative Approaches\nIf `\u002Fbooktics\u002Fv1\u002Fstaff` is not the exact path:\n1. Use `browser_navigate` to the plugin's main booking page and monitor Network Tab logs in the browser context to identify the REST calls made by `frontend.js`.\n2. Look for the string `booktics\u002Fv1` in the main plugin PHP files (if accessible via the agent's file system) to find all `register_rest_route` calls.\n3. Check for specific item IDs if the \"list\" endpoint is blocked but the \"get single item\" endpoint is missing authorization: `GET \u002Fwp-json\u002Fbooktics\u002Fv1\u002Fstaff\u002F1`.","The Booktics plugin for WordPress fails to implement capability checks on multiple REST API endpoints within the booktics\u002Fv1 namespace. This allows unauthenticated attackers to access sensitive data, including staff details, customer lists, and booking records, by sending direct GET requests to the vulnerable API routes.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F Multiple REST routes registered under the 'booktics\u002Fv1' namespace\n\nregister_rest_route('booktics\u002Fv1', '\u002Fstaff', [\n    'methods'             => 'GET',\n    'callback'            => [$this, 'get_staff'],\n    'permission_callback' => '__return_true', \u002F\u002F Or missing entirely\n]);\n\n---\n\nregister_rest_route('booktics\u002Fv1', '\u002Fcustomers', [\n    'methods'             => 'GET',\n    'callback'            => [$this, 'get_customers'],\n    'permission_callback' => '__return_true',\n]);","--- a\u002Fincludes\u002Frest-api\u002Fclass-rest-registration.php\n+++ b\u002Fincludes\u002Frest-api\u002Fclass-rest-registration.php\n@@ -15,7 +15,9 @@\n         register_rest_route('booktics\u002Fv1', '\u002Fstaff', [\n             'methods'             => 'GET',\n             'callback'            => [$this, 'get_staff'],\n-            'permission_callback' => '__return_true',\n+            'permission_callback' => function () {\n+                return current_user_can('manage_options');\n+            },\n         ]);","The exploit methodology involves direct unauthenticated querying of the WordPress REST API. \n\n1. Target Endpoint: Unauthenticated attackers hit endpoints under the \u002Fwp-json\u002Fbooktics\u002Fv1\u002F namespace.\n2. Payload Shape: A standard HTTP GET request is sufficient; no specialized payload or body is required.\n3. Vulnerable Routes: Sensitive routes identified include \u002Fstaff, \u002Fcustomers, \u002Fservices, \u002Fappointments, and \u002Fsettings.\n4. Authentication: No authentication or specific user role is required. \n5. Data Extraction: The response returns a JSON array containing PII (Personally Identifiable Information) such as staff\u002Fcustomer names, emails, phone numbers, and potentially sensitive configuration data like Stripe keys.","gemini-3-flash-preview","2026-04-18 05:13:56","2026-04-18 05:14:15",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags"]