[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fColtXzFLOR8K1SpGaVdQrS6V393S_yRX6PwkdYL-TgM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-39585","booktics-missing-authorization","Booktics \u003C= 1.0.16 - Missing Authorization","The Booktics plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.","booktics",null,"\u003C=1.0.16","1.0.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-02 00:00:00","2026-04-15 21:30:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe7b3be2a-1ef7-4270-a055-6be92503149d?source=api-prod",73,[],"researched",false,3,"This research plan targets a **Missing Authorization** vulnerability in the **Booktics** plugin (\u003C= 1.0.16). Since the source files are not provided, this plan focuses on identifying the specific vulnerable AJAX actions and exploiting them based on common \"Missing Authorization\" patterns in WordPress plugins.\n\n---\n\n### 1. Vulnerability Summary\nThe Booktics plugin (\u003C= 1.0.16) fails to implement proper capability checks (e.g., `current_user_can()`) on one or more of its AJAX handlers. Specifically, functions registered with the `wp_ajax_nopriv_` hook (accessible to unauthenticated users) or `wp_ajax_` (accessible to any logged-in user) perform sensitive operations—such as modifying plugin settings, exporting data, or managing appointments—without verifying that the requester has administrative privileges.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Hooks (Potential):** `wp_ajax_nopriv_booktics_...` or `wp_ajax_booktics_...`\n*   **Action Parameter:** `action=booktics_[vulnerable_action]`\n*   **Authentication:** Unauthenticated (if `nopriv` is used) or Subscriber-level (if only `wp_ajax_` is used without capability checks).\n*   **Payload Type:** `application\u002Fx-www-form-urlencoded`\n\n### 3. Discovery & Code Flow\nThe agent must first identify which AJAX action is vulnerable.\n\n**Step 1: Identify all AJAX handlers**\n```bash\ngrep -rnE \"wp_ajax_nopriv_|wp_ajax_\" wp-content\u002Fplugins\u002Fbooktics\u002F\n```\n\n**Step 2: Analyze the callback functions**\nFor each identified action (e.g., `booktics_save_settings`, `booktics_export_data`, `booktics_delete_appointment`), trace the callback function:\n1.  Locate the function definition: `grep -rn \"function [function_name]\" wp-content\u002Fplugins\u002Fbooktics\u002F`\n2.  Check for `current_user_can('manage_options')` or similar checks.\n3.  Check for `check_ajax_referer` (to see if a nonce is required).\n\n**Vulnerable Flow:**\n`admin-ajax.php` -> `do_action('wp_ajax_nopriv_...')` -> `Vulnerable_Function()` -> Performs `update_option()` or `$wpdb->query()` without checking permissions.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable function calls `check_ajax_referer( 'booktics_nonce_action', 'security' )`, the agent must retrieve a valid nonce.\n\n1.  **Identify Nonce Localization:**\n    Search for `wp_localize_script` to find the JS object containing the nonce.\n    ```bash\n    grep -rn \"wp_localize_script\" wp-content\u002Fplugins\u002Fbooktics\u002F\n    ```\n2.  **Determine Triggering Page:**\n    Identify which shortcode or admin page enqueues the script. Common Booktics shortcodes: `[booktics_appointment]`, `[booktics_booking]`.\n3.  **Create Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content=\"[booktics_appointment]\"\n    ```\n4.  **Extract Nonce:**\n    Navigate to the newly created page and use `browser_eval` to extract the nonce:\n    *   *Localization Key (Inferred):* `booktics_ajax_obj` or `booktics_params`.\n    *   *JS Command:* `browser_eval(\"window.booktics_ajax_obj?.nonce\")`\n\n### 5. Exploitation Strategy\nAssuming the identified vulnerable action is `booktics_save_settings` (common for this vulnerability type), which allows updating arbitrary WordPress options.\n\n**Request Details:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:**\n    ```\n    action=booktics_save_settings&security=[NONCE]&option_name=users_can_register&option_value=1\n    ```\n    *(Note: If the action modifies plugin settings specifically, the parameters might be `settings[registration_enabled]=1`)*.\n\n**Payload for Privilege Escalation (if option update is possible):**\n1.  Set `users_can_register` to `1`.\n2.  Set `default_role` to `administrator`.\n\n### 6. Test Data Setup\n1.  Install Booktics version 1.0.16.\n2.  Ensure a page with the Booktics shortcode exists to facilitate nonce extraction if needed.\n3.  Verify the initial state of the target setting:\n    ```bash\n    wp option get users_can_register\n    wp option get default_role\n    ```\n\n### 7. Expected Results\n*   **HTTP Response:** `200 OK` or `{\"success\":true}`.\n*   **Impact:** The plugin performs the action (e.g., updating a global WordPress option) despite the request being unauthenticated.\n\n### 8. Verification Steps\nAfter sending the exploit request, use WP-CLI to confirm the unauthorized change:\n```bash\n# Check if settings were changed\nwp option get users_can_register\n# Check if sensitive data was leaked (if the vulnerability was an export action)\n# Check if an appointment was deleted\u002Fmodified\n```\n\n### 9. Alternative Approaches\nIf `booktics_save_settings` is not the vulnerable action, the agent should look for:\n1.  **`booktics_export_customers`**: Check if it returns customer PII in the AJAX response.\n2.  **`booktics_cancel_appointment`**: Check if it allows canceling any appointment ID without ownership verification.\n3.  **`booktics_update_appointment_status`**: Check if it allows an unauthenticated user to mark appointments as \"Paid\" or \"Confirmed\".\n\n**Backup Discovery Command:**\n```bash\n# Look for functions that take POST data and interact with options\u002Fdatabase\ngrep -rP \"update_option|wpdb->(insert|update|delete|query)\" wp-content\u002Fplugins\u002Fbooktics\u002F -B 10 | grep \"_POST\"\n```","The Booktics plugin for WordPress fails to implement capability checks on its AJAX handlers in versions up to 1.0.16. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin configurations or accessing customer data, by sending crafted requests to the admin-ajax.php endpoint.","1. Identify vulnerable AJAX actions registered via 'wp_ajax_nopriv_' hooks in the plugin code, which are accessible to unauthenticated users. \n2. Visit a public-facing page containing a Booktics booking shortcode to extract the necessary AJAX nonce from the localized 'booktics_ajax_obj' JavaScript object. \n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable function and the 'security' parameter containing the extracted nonce. \n4. Include payload parameters to perform unauthorized tasks, such as 'option_name' and 'option_value' if the function permits updating plugin settings.","gemini-3-flash-preview","2026-04-27 17:24:46","2026-04-27 17:26:48",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","1.0.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags\u002F1.0.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooktics.1.0.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooktics\u002Ftags"]