Bus Ticket Booking with Seat Reservation < 5.6.8 - Missing Authorization
Description
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 5.6.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<5.6.8Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the steps to identify and exploit a missing authorization vulnerability in the **Bus Ticket Booking with Seat Reservation** plugin for WordPress. ## 1. Vulnerability Summary The **Bus Ticket Booking with Seat Reservation** plugin (versions < 5.6.8) fails to implement pro…
Show full research plan
This research plan outlines the steps to identify and exploit a missing authorization vulnerability in the Bus Ticket Booking with Seat Reservation plugin for WordPress.
1. Vulnerability Summary
The Bus Ticket Booking with Seat Reservation plugin (versions < 5.6.8) fails to implement proper capability checks on several AJAX handlers registered via wp_ajax_nopriv_*. This allows unauthenticated users to perform actions that should be restricted to administrators or authorized staff, such as deleting bookings or modifying seat reservations.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Action: The vulnerable action is likely related to booking management. Based on plugin structure, candidate actions include:
wppb_bus_booking_delete(Inferred)wppb_cancel_booking(Inferred)wppb_remove_booked_seat(Inferred)
- Parameters:
action: The AJAX action name.nonce: A security token (if enforced, but often shared or bypassable).idorbooking_id: The identifier of the booking to delete or modify.
- Authentication: None (Unauthenticated).
3. Code Flow
- Entry Point: The plugin registers AJAX hooks in its main file or an includes file (e.g.,
includes/class-wppb-ajax.php). - Hook Registration:
add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback');(Inferred). - Vulnerable Function: The callback function (e.g.,
wppb_delete_booking_callback) performs a database operation (like$wpdb->delete) based on the provided ID. - Missing Check: The function lacks a
current_user_can('manage_options')or equivalent check, and may rely solely on a nonce that is exposed to unauthenticated users.
4. Nonce Acquisition Strategy
If the plugin enforces a nonce check via check_ajax_referer or wp_verify_nonce, we must acquire a valid nonce for the nopriv session.
- Identify Script Localization: Search for
wp_localize_scriptin the plugin code to find the JS object containing the nonce.- Command:
grep -r "wp_localize_script" . - Key to find: The variable name (e.g.,
wppb_ajax_obj) and the nonce key (e.g.,nonce).
- Command:
- Identify Triggering Shortcode: Find which shortcode enqueues the relevant scripts.
- Command:
grep -r "add_shortcode" . - Likely candidates:
[bus_ticket_booking],[wppb_booking_list], or[wppb_search].
- Command:
- Extraction:
- Create a page with the identified shortcode using WP-CLI.
- Navigate to the page using
browser_navigate. - Extract the nonce using
browser_eval. - Example JS:
window.wppb_ajax_obj?.nonce
5. Exploitation Strategy
Step 1: Discover Exact Hook
Search the plugin source for wp_ajax_nopriv to identify the specific unauthorized action.
grep -r "wp_ajax_nopriv_" .
Step 2: Identify Parameters
Examine the callback function for that hook to see which parameters (e.g., booking_id) it expects.
Step 3: Test Data Setup
Create a bus and a booking to have a target for deletion.
- Use the plugin's admin interface (if available) or WP-CLI to create a bus route.
- Create a booking through the frontend or by manually inserting a row into the
{prefix}wppb_bookingstable.
Step 4: Execute Deletion
Use http_request to send the unauthorized delete request.
Request Template:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=[FOUND_ACTION]&nonce=[EXTRACTED_NONCE]&booking_id=[TARGET_ID]
6. Test Data Setup
- Target Content: Ensure at least one booking exists in the database.
- SQL to check:
SELECT id FROM wp_wppb_bookings LIMIT 1;
- SQL to check:
- Nonce Page: Create a page to leak the nonce:
wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content="[bus_ticket_booking]"
7. Expected Results
- HTTP Response: Status 200 or 302, often with a JSON body
{"success": true}or a simple string like1. - Database State: The record in
wp_wppb_bookingswith the specified ID should be removed or its status changed.
8. Verification Steps
- Database Check: Run a WP-CLI command to verify the record is gone.
If the count iswp db query "SELECT count(*) FROM wp_wppb_bookings WHERE id = [TARGET_ID]"0, the exploit was successful. - Unauthorized Check: Ensure this request was performed without any
Cookieheaders (completely unauthenticated).
9. Alternative Approaches
- Export Exploitation: If
wppb_export_bookingsis anoprivaction, attempt to download the full booking database as a CSV. - Seat Manipulation: If
wppb_update_seat_statusis exposed, attempt to mark all seats on a bus as "booked" to perform a Denial of Service (DoS) on the booking system for legitimate users.
Summary
The Bus Ticket Booking with Seat Reservation plugin for WordPress (versions < 5.6.8) fails to implement capability checks on AJAX handlers registered via wp_ajax_nopriv_ hooks. This allows unauthenticated attackers to perform sensitive actions, such as deleting bookings or modifying seat reservations, by exploiting publicly available nonces.
Vulnerable Code
/* File: includes/class-wppb-ajax.php (inferred from research plan) */ add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback'); function wppb_delete_booking_callback() { // Nonce check exists but the nonce is often leaked to unauthenticated users via script localization check_ajax_referer('wppb_ajax_nonce', 'nonce'); $booking_id = isset($_POST['booking_id']) ? intval($_POST['booking_id']) : 0; if ($booking_id > 0) { global $wpdb; // Missing current_user_can() check allows unauthenticated deletion $wpdb->delete($wpdb->prefix . 'wppb_bookings', array('id' => $booking_id)); wp_send_json_success(); } wp_die(); }
Security Fix
@@ -10,7 +10,6 @@ -add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback'); add_action('wp_ajax_wppb_delete_booking', 'wppb_delete_booking_callback'); function wppb_delete_booking_callback() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( 'Unauthorized access' ); + } check_ajax_referer('wppb_ajax_nonce', 'nonce');
Exploit Outline
An unauthenticated attacker can exploit this by first locating a page where the plugin's scripts are enqueued (e.g., a page containing the [bus_ticket_booking] shortcode) to extract the AJAX nonce from the JavaScript source code (likely in the wppb_ajax_obj object). The attacker then sends a POST request to /wp-admin/admin-ajax.php with the 'action' set to the vulnerable hook (e.g., wppb_delete_booking), the retrieved nonce, and the target 'booking_id'. Since the server lacks authorization checks on the callback function, the requested action—such as deleting a booking record from the database—is performed without authentication.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.