[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftUiPFI-ixyvCx-CRL_8yg7tEC6mIDyQWmfITi9K0du0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39675","court-reservation-missing-authorization","Court Reservation \u003C= 1.10.11 - Missing Authorization","The Court Reservation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.10.11. This makes it possible for unauthenticated attackers to perform an unauthorized action.","court-reservation",null,"\u003C=1.10.11","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-19 00:00:00","2026-04-15 21:27:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa4afee53-9bce-4534-aa7e-119504cadc8a?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to investigate and exploit **CVE-2026-39675**, a Missing Authorization vulnerability in the **Court Reservation** plugin for WordPress.\n\n### 1. Vulnerability Summary\nThe **Court Reservation** plugin suffers from a missing capability check in one or more of its AJAX handlers registered via `wp_ajax_nopriv_*`. This allows unauthenticated attackers to trigger sensitive functions—such as modifying, deleting, or creating reservations—that should be restricted to authenticated users or administrators. The vulnerability exists because the developer likely used `check_ajax_referer()` (which only validates the request's origin\u002Fauthenticity) but failed to implement `current_user_can()` (which validates the user's permissions).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Action:** Likely `cr_cancel_reservation`, `cr_delete_reservation`, or `cr_save_reservation` (inferred from plugin functionality).\n*   **Parameter:** `action`, `reservation_id` (or similar), and a `nonce`.\n*   **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_` hooks).\n\n### 3. Code Flow (Inferred)\n1.  **Initialization:** The plugin registers AJAX hooks in a main class or `includes\u002Fclass-court-reservation-ajax.php` (inferred).\n    ```php\n    add_action( 'wp_ajax_nopriv_cr_cancel_reservation', array( $this, 'ajax_cancel_reservation' ) );\n    ```\n2.  **Entry Point:** The `ajax_cancel_reservation` function is called.\n3.  **Vulnerable Path:**\n    *   The function calls `check_ajax_referer( 'cr_nonce', 'security' );`.\n    *   It retrieves `$_POST['reservation_id']`.\n    *   **CRITICAL GAP:** It fails to check `if ( ! current_user_can( 'manage_options' ) )` or verify if the current unauthenticated session owns the reservation.\n4.  **Sink:** The function proceeds to update the database via `$wpdb->update()` or `wp_delete_post()`, effectively cancelling a reservation unauthorized.\n\n### 4. Nonce Acquisition Strategy\nTo exploit `wp_ajax_nopriv` handlers, we must obtain a valid nonce generated for an unauthenticated user (UID 0).\n\n1.  **Identify Shortcode:** Search for shortcodes that render the reservation interface:\n    `grep -r \"add_shortcode\" .` (Commonly `[court_reservation]` or `[cr_calendar]`).\n2.  **Locate Nonce Variable:** Search for where the nonce is passed to JavaScript:\n    `grep -r \"wp_localize_script\" .`\n    *   Look for a handle like `cr_script_vars` or `court_reservation_params`.\n    *   Identify the key (e.g., `security`, `nonce`, or `cr_nonce`).\n3.  **Create Trigger Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Reservations\" --post_content='[court_reservation]'\n    ```\n4.  **Extract Nonce via Browser:**\n    Navigate to the new page and use `browser_eval` to grab the nonce from the global window object.\n    *   *Example JavaScript:* `window.cr_script_vars?.nonce` or `window.cr_params?.security`.\n\n### 5. Exploitation Strategy\nOnce the action name and nonce are identified, follow these steps:\n\n1.  **Target Identification:** Confirm the specific AJAX action and the ID of the reservation to target.\n2.  **Request Construction:** Use the `http_request` tool.\n    *   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=[VULNERABLE_ACTION]&security=[NONCE]&reservation_id=[TARGET_ID]`\n3.  **Execution:** Send the request and analyze the JSON response (usually `{\"success\":true}`).\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `court-reservation` version \u003C= 1.10.11 is active.\n2.  **Create Admin:** `wp user create victim admin@example.com --role=administrator --user_pass=password`.\n3.  **Create Sample Data:** Create a reservation as the administrator (or via the plugin's legitimate frontend if available) so there is an ID to target.\n    *   If reservations are Custom Post Types (CPT): `wp post create --post_type=cr_reservation --post_title=\"Victim Booking\" --post_status=publish`.\n4.  **Identify ID:** `wp post list --post_type=cr_reservation` to find the ID.\n\n### 7. Expected Results\n*   **Response:** The server returns a `200 OK` with a body indicating success (e.g., `1`, `{\"success\":true}`, or a success message).\n*   **State Change:** The targeted reservation status is changed (e.g., from 'confirmed' to 'cancelled') or the record is deleted entirely from the database.\n\n### 8. Verification Steps\n1.  **Check Database:**\n    ```bash\n    wp db query \"SELECT post_status FROM wp_posts WHERE ID = [TARGET_ID]\"\n    # OR if custom table:\n    wp db query \"SELECT status FROM wp_court_reservations WHERE id = [TARGET_ID]\"\n    ```\n2.  **Confirm Status:** Verify the status reflects the unauthorized action (e.g., `cancelled` or `trash`).\n\n### 9. Alternative Approaches\n*   **Information Disclosure:** If the missing authorization is in a \"fetch\" action (e.g., `cr_get_reservation_details`), the exploit results in Sensitive Data Exposure rather than data modification.\n*   **ID Brute Forcing:** If specific IDs are unknown, unauthenticated attackers can iterate through integer `reservation_id` values to mass-cancel bookings.\n*   **Missing Nonce:** Check if the function even calls `check_ajax_referer`. If it doesn't, the `nonce` acquisition step can be skipped entirely, allowing for a direct POST attack. Look for:\n    `grep -r \"add_action.*wp_ajax_nopriv\" . -A 20` and check if `check_ajax_referer` is present in the callback.","The Court Reservation plugin for WordPress suffers from a missing authorization check in its AJAX handlers registered for unauthenticated users. This allows unauthenticated attackers to perform unauthorized actions, such as cancelling or deleting reservations, by leveraging a publicly accessible nonce.","\u002F\u002F Inferred from registration of hooks in the plugin\nadd_action( 'wp_ajax_nopriv_cr_cancel_reservation', array( $this, 'ajax_cancel_reservation' ) );\n\n---\n\n\u002F\u002F Inferred vulnerable handler logic from research plan\npublic function ajax_cancel_reservation() {\n    check_ajax_referer( 'cr_nonce', 'security' );\n    \n    $reservation_id = intval( $_POST['reservation_id'] );\n    \n    \u002F\u002F CRITICAL GAP: It fails to check if ( ! current_user_can( 'manage_options' ) ) or verify ownership\n    $result = $this->cancel_reservation( $reservation_id );\n    \n    if ( $result ) {\n        wp_send_json_success();\n    }\n}","--- a\u002Fincludes\u002Fclass-court-reservation-ajax.php\n+++ b\u002Fincludes\u002Fclass-court-reservation-ajax.php\n@@ -10,6 +10,10 @@\n public function ajax_cancel_reservation() {\n     check_ajax_referer( 'cr_nonce', 'security' );\n     \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized access.', 403 );\n+    }\n+\n     $reservation_id = intval( $_POST['reservation_id'] );\n     \n     $result = $this->cancel_reservation( $reservation_id );","1. Nonce Acquisition: Locate a public page containing the [court_reservation] shortcode. Inspect the page source or use a browser console to find the localized script variables (e.g., cr_script_vars.nonce or similar) used for AJAX authentication.\n2. Parameter Identification: Determine the ID of the reservation target and the specific AJAX action used for modification\u002Fdeletion (e.g., cr_cancel_reservation).\n3. Attack Execution: Perform an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php. The payload must include the 'action' (the vulnerable hook), the extracted 'security' (nonce), and the 'reservation_id'.\n4. Result: Since the backend handler fails to verify user permissions (current_user_can), the plugin executes the sensitive action despite the attacker lacking the required privileges.","gemini-3-flash-preview","2026-04-19 02:27:28","2026-04-19 02:27:44",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags"]