[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl-rEv246XgRfk9E357NrFKd__2NyOyTMGYPH7ocacm0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1508","court-reservation-manage-your-court-bookings-online-cross-site-request-forgery","Court Reservation – Manage Your Court Bookings Online \u003C 1.10.9 - Cross-Site Request Forgery","The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 1.10.9 (exclusive). This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link.","court-reservation",null,"\u003C1.10.9","1.10.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-17 00:00:00","2026-03-19 13:37:47",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe8fecebd-c884-4124-96d6-106351e0c7a7?source=api-prod",31,[],"researched",false,3,"This plan outlines the research and exploitation process for **CVE-2026-1508**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Court Reservation** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\nThe **Court Reservation – Manage Your Court Bookings Online** plugin (\u003C 1.10.9) fails to implement proper nonce validation on a function responsible for updating plugin settings or performing administrative actions. Consequently, an attacker can craft a malicious request that, when executed by a logged-in administrator (e.g., via a spear-phishing link), performs unauthorized changes to the plugin's configuration, such as modifying booking rules, changing notification emails, or altering global settings.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Action Hook**: Likely registered via `admin_post_{action}` or `wp_ajax_{action}`. \n    *   *Inferred Action*: `cr_save_settings` or `court_reservation_update_options`. (To be verified via `grep`).\n*   **Vulnerable Parameter**: Any state-changing parameter (e.g., `cr_email_recipient`, `cr_booking_slot_duration`).\n*   **Authentication**: Requires a logged-in Administrator to trigger the request (CSRF).\n*   **Preconditions**: The attacker must know the parameter names used in the settings form and the specific action name.\n\n### 3. Code Flow\n1.  **Entry Point**: The plugin registers a handler for administrative actions, typically in the main plugin file or an admin-specific include (e.g., `admin\u002Fclass-court-reservation-admin.php`).\n    *   *Code Pattern*: `add_action( 'admin_post_court_reservation_save_settings', 'save_settings_callback' );`\n2.  **Handler Execution**: When a POST request is sent to `admin-post.php` with `action=court_reservation_save_settings`, the callback function is executed.\n3.  **Missing Check**: The callback function likely checks for user capabilities (e.g., `current_user_can('manage_options')`) but misses a nonce check (e.g., `check_admin_referer()`).\n4.  **Data Sink**: The function proceeds to update the database using `update_option()` with unsanitized or insufficiently validated data from `$_POST`.\n\n### 4. Nonce Acquisition Strategy\nThis is a **CSRF** vulnerability where the primary issue is the **absence** of a nonce check or the use of an **incorrect\u002Fbypassable** nonce.\n\n*   **If Nonce is Missing**: No acquisition is required. The exploit will succeed by simply omitting the nonce parameter.\n*   **If Nonce is \"Incorrect\" (Bypassable)**:\n    1.  Search the source for `check_admin_referer` or `wp_verify_nonce`.\n    2.  If it checks a constant or a fixed string (e.g., `wp_verify_nonce($_POST['nonce'], -1)`), any nonce generated for the default action `-1` will work.\n    3.  If a nonce *is* required but only for certain actions, use `browser_eval` to extract it from the settings page:\n        *   Navigate to: `\u002Fwp-admin\u002Fadmin.php?page=court-reservation-settings` (inferred slug).\n        *   Extract: `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")`.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can change a plugin setting by tricking an admin.\n\n**Step 1: Discover the Target Action and Parameters**\n*   Search the plugin directory for settings forms:\n    `grep -r \"type=\\\"submit\\\"\" .`\n    `grep -r \"update_option\" .`\n*   Identify the `action` hidden field in the HTML forms or `add_action` calls in PHP.\n\n**Step 2: Construct the CSRF Exploit**\nAssuming the action is `cr_save_settings` and it updates the admin notification email:\n\n*   **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-post.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```text\n    action=court_reservation_save_settings&cr_admin_email=attacker@evil.com&submit=Save+Settings\n    ```\n\n**Step 3: Execution via Agent**\nThe agent will use the `http_request` tool while \"acting\" as the administrator session (using stored cookies).\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Ensure `court-reservation` version \u003C 1.10.9 is active.\n2.  **Configuration**: \n    *   Identify the default admin email or a specific setting (e.g., `court_reservation_settings`).\n    *   Note the current value: `wp option get court_reservation_settings --format=json`.\n\n### 7. Expected Results\n*   The `http_request` will return a `302 Redirect` (standard for `admin-post.php` success).\n*   The database option associated with the plugin settings will be updated to the attacker's value.\n*   No \"Are you sure you want to do this?\" (nonce failure) page should appear.\n\n### 8. Verification Steps\nAfter sending the malicious POST request, verify the change using WP-CLI:\n```bash\n# Check if the specific option was updated\nwp option get court_reservation_settings\n\n# Or, if individual options are used:\nwp option get cr_admin_email\n```\n\n### 9. Alternative Approaches\n*   **AJAX Endpoint**: If settings are saved via AJAX, the target will be `\u002Fwp-admin\u002Fadmin-ajax.php`. The body must include the `action` and any required sub-actions.\n    *   *Payload*: `action=cr_ajax_save&setting_name=val&security=invalid_nonce`\n*   **GET-based CSRF**: Check if the handler uses `$_REQUEST` instead of `$_POST`. If so, the exploit can be triggered via a simple `\u003Cimg>` tag or a link:\n    *   *Payload*: `\u002Fwp-admin\u002Fadmin-post.php?action=cr_delete_booking&id=1` (No POST required).\n\n---\n**Note on Identifiers**: Actual slugs and parameters must be confirmed by the agent using `ls -R` and `grep` upon initial access to the environment, as they vary slightly between plugin versions. Look specifically for `court-reservation` or `court_reservation`.","The Court Reservation – Manage Your Court Bookings Online plugin for WordPress fails to perform CSRF nonce validation in its settings save handler. This allows an unauthenticated attacker to change plugin configurations, such as administrative emails or booking durations, by tricking a logged-in administrator into visiting a malicious site or clicking a crafted link.","\u002F\u002F In the plugin's administrative logic (e.g., admin\u002Fclass-court-reservation-admin.php)\n\nadd_action('admin_post_court_reservation_save_settings', 'court_reservation_save_settings_callback');\n\nfunction court_reservation_save_settings_callback() {\n    if (!current_user_can('manage_options')) {\n        wp_die(__('You do not have sufficient permissions to access this page.'));\n    }\n\n    \u002F\u002F Vulnerability: Missing check_admin_referer() or wp_verify_nonce() check here\n\n    if (isset($_POST['cr_email_recipient'])) {\n        update_option('court_reservation_email_recipient', sanitize_email($_POST['cr_email_recipient']));\n    }\n    \n    if (isset($_POST['cr_booking_duration'])) {\n        update_option('court_reservation_duration', sanitize_text_field($_POST['cr_booking_duration']));\n    }\n\n    wp_redirect(admin_url('admin.php?page=court-reservation-settings&settings-updated=true'));\n    exit;\n}","--- admin\u002Fclass-court-reservation-admin.php\n+++ admin\u002Fclass-court-reservation-admin.php\n@@ -5,6 +5,8 @@\n     if (!current_user_can('manage_options')) {\n         wp_die(__('You do not have sufficient permissions to access this page.'));\n     }\n+\n+    check_admin_referer('court_reservation_save_settings_action', 'court_reservation_nonce');\n \n     if (isset($_POST['cr_email_recipient'])) {\n         update_option('court_reservation_email_recipient', sanitize_email($_POST['cr_email_recipient']));","The exploit targets the WordPress admin-post.php endpoint. An attacker crafts a hidden HTML form that automatically submits a POST request to `\u002Fwp-admin\u002Fadmin-post.php`. The payload includes the 'action' parameter set to 'court_reservation_save_settings' (or the specific action found in the plugin source) and various setting parameters like 'cr_email_recipient' containing an attacker-controlled email. The attacker then lures a logged-in WordPress administrator to a site containing this form. Since the plugin lacks a nonce check, the browser includes the administrator's session cookies, and the plugin processes the request as a legitimate administrative action, updating the settings.","gemini-3-flash-preview","2026-04-20 21:30:32","2026-04-20 21:32:16",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.10.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags\u002F1.10.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcourt-reservation.1.10.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags\u002F1.10.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcourt-reservation.1.10.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags"]