Bus Ticket Booking with Seat Reservation < 5.6.5 - Unauthenticated Information Exposure
Description
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 5.6.5 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<5.6.5Source Code
WordPress.org SVNPatched version not available.
Based on the vulnerability details for **CVE-2026-39572**, this is an unauthenticated information exposure vulnerability in the **Bus Ticket Booking with Seat Reservation** plugin. This type of vulnerability typically occurs when a `wp_ajax_nopriv_` action or a REST API endpoint fails to implement p…
Show full research plan
Based on the vulnerability details for CVE-2026-39572, this is an unauthenticated information exposure vulnerability in the Bus Ticket Booking with Seat Reservation plugin. This type of vulnerability typically occurs when a wp_ajax_nopriv_ action or a REST API endpoint fails to implement proper authorization checks, allowing any user to query sensitive data.
1. Vulnerability Summary
The plugin exposes sensitive information (likely booking details, customer PII, or internal configuration) through an AJAX handler registered with the wp_ajax_nopriv_ hook. Because this hook is accessible to unauthenticated users and the associated callback function lacks sufficient capability checks (e.g., current_user_can) or ownership verification, an attacker can extract data by providing valid identifiers (like booking IDs) to the endpoint.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wppb_get_booking_infoorwppb_get_customer_details(inferred from plugin naming conventions; needs verification in source). - Parameters:
action,booking_id(orticket_id), and potentially anonce. - Authentication: None required (unauthenticated).
- Preconditions: At least one booking must exist in the system for PII exposure, or the "configuration" exposure must be a global setting.
3. Code Flow (Inferred)
- Registration: The plugin registers an unauthenticated AJAX handler in its main class or an AJAX-specific class:
add_action( 'wp_ajax_nopriv_wppb_get_booking_info', 'wppb_get_booking_info_callback' ); - Handler Execution: The
wppb_get_booking_info_callbackfunction is called. - Missing Authorization: The function likely retrieves a
booking_idfrom$_POSTor$_GET. - Database Query: It performs a query like
$wpdb->get_row("SELECT * FROM {$wpdb->prefix}wppb_bookings WHERE id = $booking_id")without verifying if the requester is an admin or the owner of the booking. - Information Leak: The results (including names, emails, phone numbers, or seat details) are returned via
wp_send_json()orecho json_encode().
4. Nonce Acquisition Strategy
If the endpoint requires a nonce, it is likely localized for the frontend booking form or search page.
- Shortcode Identification: The plugin uses shortcodes like
[wppb_booking_form]or[wppb_search_ticket]to render frontend interfaces. - Strategy:
- Create a page containing the booking search shortcode to trigger script/nonce loading.
- Navigate to the page.
- Extract the nonce from the global JavaScript object localized by the plugin.
- Localization Data:
- JS Variable:
wppb_ajax_obj(inferred) orwppb_js_var(inferred). - Nonce Key:
nonceorwppb_nonce.
- JS Variable:
- Browser Eval Command:
browser_eval("window.wppb_ajax_obj?.nonce || window.wppb_js_var?.wppb_nonce")
5. Exploitation Strategy
The goal is to request the sensitive data via the AJAX endpoint.
Request Details:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Payload:
action=wppb_get_booking_info&booking_id=1&nonce=[EXTRACTED_NONCE]
Step-by-Step:
- Discovery: Use
grep -r "wp_ajax_nopriv_" .in the plugin directory to find the exact action name. Look for handlers returning database rows. - Setup: Create dummy booking data via the plugin's frontend or WP-CLI (if possible) to ensure there is something to "expose."
- Nonce Retrieval: Use the shortcode method described in Section 4 if a nonce check is found in the code.
- Information Extraction: Loop through
booking_idvalues (e.g., 1-10) usinghttp_requestto identify which IDs return data. - Data Capture: Parse the JSON response for sensitive fields (email, phone, address).
6. Test Data Setup
- Install Plugin: Ensure
bus-ticket-booking-with-seat-reservation< 5.6.5 is active. - Create a Booking:
# Since we need to test PII exposure, we need a booking. # If the plugin has a CLI, use it. Otherwise, use the frontend. wp post create --post_type=page --post_title="Booking" --post_content='[wppb_booking_form]' --post_status=publish - Add a Test User/Customer: Manually or via script, ensure a booking exists in the custom table (usually
wp_wppb_bookings).
7. Expected Results
- An unauthenticated POST request to
admin-ajax.phpreturns a200 OKresponse. - The response body contains a JSON object with keys like
customer_name,customer_email,customer_phone, orseat_number. - Example Vulnerable Response:
{ "success": true, "data": { "id": "1", "name": "John Doe", "email": "john@example.com", "phone": "555-0199", "bus_id": "10", "seats": "A1, A2" } }
8. Verification Steps
- Check DB State: Use WP-CLI to verify the data exists in the database.
wp db query "SELECT * FROM wp_wppb_bookings LIMIT 1;" - Compare Output: Compare the fields returned in the HTTP response with the fields in the database. If they match and contain PII, the exposure is confirmed.
- Authorization Check: Verify that the same request fails (returns 403 or error) if performed on a patched version (5.6.5+).
9. Alternative Approaches
- Configuration Exposure: If no booking data is found, look for actions like
wppb_get_settingsorwppb_get_layoutwhich might returnget_optionresults containing system paths or API keys. - REST API: Check if the plugin registers routes via
register_rest_route. Search for routes where'permission_callback' => '__return_true'or where the callback is missing. - Direct Parameter Manipulation: If
booking_iddoesn't work, tryid,ticket_no, orp_idas these are common variations in this plugin's code.
Summary
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to unauthenticated information exposure in versions up to 5.6.5. This allows unauthenticated attackers to retrieve sensitive customer PII and booking details via AJAX actions that lack proper authorization or ownership checks.
Exploit Outline
1. Identify the WordPress AJAX endpoint at /wp-admin/admin-ajax.php. 2. Obtain a valid security nonce if required by visiting a frontend page containing a plugin shortcode (e.g., [wppb_booking_form]) and extracting the nonce from localized JavaScript objects like 'wppb_ajax_obj'. 3. Send an unauthenticated POST request to the AJAX endpoint with the action parameter set to the vulnerable callback (inferred as 'wppb_get_booking_info') and a target 'booking_id'. 4. The server returns a JSON response containing the database record for the specified booking, exposing fields such as customer names, email addresses, and phone numbers.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.