CVE-2025-66105

Bus Ticket Booking with Seat Reservation < 5.6.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.6.8
Patched in
5d
Time to patch

Description

The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 5.6.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<5.6.8
PublishedMay 7, 2026
Last updatedMay 11, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the steps to identify and exploit a missing authorization vulnerability in the **Bus Ticket Booking with Seat Reservation** plugin for WordPress. ## 1. Vulnerability Summary The **Bus Ticket Booking with Seat Reservation** plugin (versions < 5.6.8) fails to implement pro…

Show full research plan

This research plan outlines the steps to identify and exploit a missing authorization vulnerability in the Bus Ticket Booking with Seat Reservation plugin for WordPress.

1. Vulnerability Summary

The Bus Ticket Booking with Seat Reservation plugin (versions < 5.6.8) fails to implement proper capability checks on several AJAX handlers registered via wp_ajax_nopriv_*. This allows unauthenticated users to perform actions that should be restricted to administrators or authorized staff, such as deleting bookings or modifying seat reservations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: The vulnerable action is likely related to booking management. Based on plugin structure, candidate actions include:
    • wppb_bus_booking_delete (Inferred)
    • wppb_cancel_booking (Inferred)
    • wppb_remove_booked_seat (Inferred)
  • Parameters:
    • action: The AJAX action name.
    • nonce: A security token (if enforced, but often shared or bypassable).
    • id or booking_id: The identifier of the booking to delete or modify.
  • Authentication: None (Unauthenticated).

3. Code Flow

  1. Entry Point: The plugin registers AJAX hooks in its main file or an includes file (e.g., includes/class-wppb-ajax.php).
  2. Hook Registration: add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback'); (Inferred).
  3. Vulnerable Function: The callback function (e.g., wppb_delete_booking_callback) performs a database operation (like $wpdb->delete) based on the provided ID.
  4. Missing Check: The function lacks a current_user_can('manage_options') or equivalent check, and may rely solely on a nonce that is exposed to unauthenticated users.

4. Nonce Acquisition Strategy

If the plugin enforces a nonce check via check_ajax_referer or wp_verify_nonce, we must acquire a valid nonce for the nopriv session.

  1. Identify Script Localization: Search for wp_localize_script in the plugin code to find the JS object containing the nonce.
    • Command: grep -r "wp_localize_script" .
    • Key to find: The variable name (e.g., wppb_ajax_obj) and the nonce key (e.g., nonce).
  2. Identify Triggering Shortcode: Find which shortcode enqueues the relevant scripts.
    • Command: grep -r "add_shortcode" .
    • Likely candidates: [bus_ticket_booking], [wppb_booking_list], or [wppb_search].
  3. Extraction:
    • Create a page with the identified shortcode using WP-CLI.
    • Navigate to the page using browser_navigate.
    • Extract the nonce using browser_eval.
    • Example JS: window.wppb_ajax_obj?.nonce

5. Exploitation Strategy

Step 1: Discover Exact Hook

Search the plugin source for wp_ajax_nopriv to identify the specific unauthorized action.

grep -r "wp_ajax_nopriv_" .

Step 2: Identify Parameters

Examine the callback function for that hook to see which parameters (e.g., booking_id) it expects.

Step 3: Test Data Setup

Create a bus and a booking to have a target for deletion.

  1. Use the plugin's admin interface (if available) or WP-CLI to create a bus route.
  2. Create a booking through the frontend or by manually inserting a row into the {prefix}wppb_bookings table.

Step 4: Execute Deletion

Use http_request to send the unauthorized delete request.

Request Template:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=[FOUND_ACTION]&nonce=[EXTRACTED_NONCE]&booking_id=[TARGET_ID]

6. Test Data Setup

  1. Target Content: Ensure at least one booking exists in the database.
    • SQL to check: SELECT id FROM wp_wppb_bookings LIMIT 1;
  2. Nonce Page: Create a page to leak the nonce:
    wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content="[bus_ticket_booking]"
    

7. Expected Results

  • HTTP Response: Status 200 or 302, often with a JSON body {"success": true} or a simple string like 1.
  • Database State: The record in wp_wppb_bookings with the specified ID should be removed or its status changed.

8. Verification Steps

  1. Database Check: Run a WP-CLI command to verify the record is gone.
    wp db query "SELECT count(*) FROM wp_wppb_bookings WHERE id = [TARGET_ID]"
    
    If the count is 0, the exploit was successful.
  2. Unauthorized Check: Ensure this request was performed without any Cookie headers (completely unauthenticated).

9. Alternative Approaches

  • Export Exploitation: If wppb_export_bookings is a nopriv action, attempt to download the full booking database as a CSV.
  • Seat Manipulation: If wppb_update_seat_status is exposed, attempt to mark all seats on a bus as "booked" to perform a Denial of Service (DoS) on the booking system for legitimate users.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bus Ticket Booking with Seat Reservation plugin for WordPress (versions < 5.6.8) fails to implement capability checks on AJAX handlers registered via wp_ajax_nopriv_ hooks. This allows unauthenticated attackers to perform sensitive actions, such as deleting bookings or modifying seat reservations, by exploiting publicly available nonces.

Vulnerable Code

/* File: includes/class-wppb-ajax.php (inferred from research plan) */
add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback');

function wppb_delete_booking_callback() {
    // Nonce check exists but the nonce is often leaked to unauthenticated users via script localization
    check_ajax_referer('wppb_ajax_nonce', 'nonce');

    $booking_id = isset($_POST['booking_id']) ? intval($_POST['booking_id']) : 0;
    if ($booking_id > 0) {
        global $wpdb;
        // Missing current_user_can() check allows unauthenticated deletion
        $wpdb->delete($wpdb->prefix . 'wppb_bookings', array('id' => $booking_id));
        wp_send_json_success();
    }
    wp_die();
}

Security Fix

--- a/includes/class-wppb-ajax.php
+++ b/includes/class-wppb-ajax.php
@@ -10,7 +10,6 @@
-add_action('wp_ajax_nopriv_wppb_delete_booking', 'wppb_delete_booking_callback');
 add_action('wp_ajax_wppb_delete_booking', 'wppb_delete_booking_callback');
 
 function wppb_delete_booking_callback() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized access' );
+    }
     check_ajax_referer('wppb_ajax_nonce', 'nonce');

Exploit Outline

An unauthenticated attacker can exploit this by first locating a page where the plugin's scripts are enqueued (e.g., a page containing the [bus_ticket_booking] shortcode) to extract the AJAX nonce from the JavaScript source code (likely in the wppb_ajax_obj object). The attacker then sends a POST request to /wp-admin/admin-ajax.php with the 'action' set to the vulnerable hook (e.g., wppb_delete_booking), the retrieved nonce, and the target 'booking_id'. Since the server lacks authorization checks on the callback function, the requested action—such as deleting a booking record from the database—is performed without authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.