CVE-2026-39572

Bus Ticket Booking with Seat Reservation < 5.6.5 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
5.6.5
Patched in
45d
Time to patch

Description

The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.6.5 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<5.6.5
PublishedMarch 22, 2026
Last updatedMay 5, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

Based on the vulnerability details for **CVE-2026-39572**, this is an unauthenticated information exposure vulnerability in the **Bus Ticket Booking with Seat Reservation** plugin. This type of vulnerability typically occurs when a `wp_ajax_nopriv_` action or a REST API endpoint fails to implement p…

Show full research plan

Based on the vulnerability details for CVE-2026-39572, this is an unauthenticated information exposure vulnerability in the Bus Ticket Booking with Seat Reservation plugin. This type of vulnerability typically occurs when a wp_ajax_nopriv_ action or a REST API endpoint fails to implement proper authorization checks, allowing any user to query sensitive data.

1. Vulnerability Summary

The plugin exposes sensitive information (likely booking details, customer PII, or internal configuration) through an AJAX handler registered with the wp_ajax_nopriv_ hook. Because this hook is accessible to unauthenticated users and the associated callback function lacks sufficient capability checks (e.g., current_user_can) or ownership verification, an attacker can extract data by providing valid identifiers (like booking IDs) to the endpoint.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wppb_get_booking_info or wppb_get_customer_details (inferred from plugin naming conventions; needs verification in source).
  • Parameters: action, booking_id (or ticket_id), and potentially a nonce.
  • Authentication: None required (unauthenticated).
  • Preconditions: At least one booking must exist in the system for PII exposure, or the "configuration" exposure must be a global setting.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an unauthenticated AJAX handler in its main class or an AJAX-specific class:
    add_action( 'wp_ajax_nopriv_wppb_get_booking_info', 'wppb_get_booking_info_callback' );
  2. Handler Execution: The wppb_get_booking_info_callback function is called.
  3. Missing Authorization: The function likely retrieves a booking_id from $_POST or $_GET.
  4. Database Query: It performs a query like $wpdb->get_row("SELECT * FROM {$wpdb->prefix}wppb_bookings WHERE id = $booking_id") without verifying if the requester is an admin or the owner of the booking.
  5. Information Leak: The results (including names, emails, phone numbers, or seat details) are returned via wp_send_json() or echo json_encode().

4. Nonce Acquisition Strategy

If the endpoint requires a nonce, it is likely localized for the frontend booking form or search page.

  • Shortcode Identification: The plugin uses shortcodes like [wppb_booking_form] or [wppb_search_ticket] to render frontend interfaces.
  • Strategy:
    1. Create a page containing the booking search shortcode to trigger script/nonce loading.
    2. Navigate to the page.
    3. Extract the nonce from the global JavaScript object localized by the plugin.
  • Localization Data:
    • JS Variable: wppb_ajax_obj (inferred) or wppb_js_var (inferred).
    • Nonce Key: nonce or wppb_nonce.
  • Browser Eval Command:
    browser_eval("window.wppb_ajax_obj?.nonce || window.wppb_js_var?.wppb_nonce")

5. Exploitation Strategy

The goal is to request the sensitive data via the AJAX endpoint.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Payload:
    action=wppb_get_booking_info&booking_id=1&nonce=[EXTRACTED_NONCE]
    

Step-by-Step:

  1. Discovery: Use grep -r "wp_ajax_nopriv_" . in the plugin directory to find the exact action name. Look for handlers returning database rows.
  2. Setup: Create dummy booking data via the plugin's frontend or WP-CLI (if possible) to ensure there is something to "expose."
  3. Nonce Retrieval: Use the shortcode method described in Section 4 if a nonce check is found in the code.
  4. Information Extraction: Loop through booking_id values (e.g., 1-10) using http_request to identify which IDs return data.
  5. Data Capture: Parse the JSON response for sensitive fields (email, phone, address).

6. Test Data Setup

  1. Install Plugin: Ensure bus-ticket-booking-with-seat-reservation < 5.6.5 is active.
  2. Create a Booking:
    # Since we need to test PII exposure, we need a booking.
    # If the plugin has a CLI, use it. Otherwise, use the frontend.
    wp post create --post_type=page --post_title="Booking" --post_content='[wppb_booking_form]' --post_status=publish
    
  3. Add a Test User/Customer: Manually or via script, ensure a booking exists in the custom table (usually wp_wppb_bookings).

7. Expected Results

  • An unauthenticated POST request to admin-ajax.php returns a 200 OK response.
  • The response body contains a JSON object with keys like customer_name, customer_email, customer_phone, or seat_number.
  • Example Vulnerable Response:
    {
        "success": true,
        "data": {
            "id": "1",
            "name": "John Doe",
            "email": "john@example.com",
            "phone": "555-0199",
            "bus_id": "10",
            "seats": "A1, A2"
        }
    }
    

8. Verification Steps

  1. Check DB State: Use WP-CLI to verify the data exists in the database.
    wp db query "SELECT * FROM wp_wppb_bookings LIMIT 1;"
  2. Compare Output: Compare the fields returned in the HTTP response with the fields in the database. If they match and contain PII, the exposure is confirmed.
  3. Authorization Check: Verify that the same request fails (returns 403 or error) if performed on a patched version (5.6.5+).

9. Alternative Approaches

  • Configuration Exposure: If no booking data is found, look for actions like wppb_get_settings or wppb_get_layout which might return get_option results containing system paths or API keys.
  • REST API: Check if the plugin registers routes via register_rest_route. Search for routes where 'permission_callback' => '__return_true' or where the callback is missing.
  • Direct Parameter Manipulation: If booking_id doesn't work, try id, ticket_no, or p_id as these are common variations in this plugin's code.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to unauthenticated information exposure in versions up to 5.6.5. This allows unauthenticated attackers to retrieve sensitive customer PII and booking details via AJAX actions that lack proper authorization or ownership checks.

Exploit Outline

1. Identify the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. 2. Obtain a valid security nonce if required by visiting a frontend page containing a plugin shortcode (e.g., [wppb_booking_form]) and extracting the nonce from localized JavaScript objects like 'wppb_ajax_obj'. 3. Send an unauthenticated POST request to the AJAX endpoint with the action parameter set to the vulnerable callback (inferred as 'wppb_get_booking_info') and a target 'booking_id'. 4. The server returns a JSON response containing the database record for the specified booking, exposing fields such as customer names, email addresses, and phone numbers.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.