[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjDol42ui8GjQEDOVbn4-XSff2q6t2K1dqHycME78wlc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39652","igms-direct-booking-missing-authorization","iGMS Direct Booking \u003C= 1.3 - Missing Authorization","The iGMS Direct Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","igms-direct-booking",null,"\u003C=1.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-15 00:00:00","2026-04-15 21:23:38",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F05fae1f8-0546-4505-8749-a9deea237d10?source=api-prod",[],"researched",false,3,"This research plan outlines the steps to identify and exploit the Missing Authorization vulnerability (CVE-2026-39652) in the iGMS Direct Booking plugin.\n\n### 1. Vulnerability Summary\nThe iGMS Direct Booking plugin (up to version 1.3) suffers from a **Missing Authorization** vulnerability. This occurs when an administrative or sensitive function is registered via a WordPress hook (typically AJAX or a general initialization hook) but fails to verify if the requesting user has the necessary privileges (e.g., `current_user_can('manage_options')`). Because it may also be registered via `wp_ajax_nopriv_`, unauthenticated attackers can trigger these functions to perform unauthorized actions such as modifying plugin settings or manipulating booking data.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Vulnerable Action:** To be identified, but likely an AJAX action registered with `wp_ajax_nopriv_` prefix.\n* **Payload Parameter:** Likely a `$_POST` array containing settings or configuration data.\n* **Authentication:** None required (Unauthenticated).\n* **Preconditions:** The plugin must be active. If a nonce is required, it must be leaked via the frontend.\n\n### 3. Code Flow (Inferred Audit Path)\n1. **Entry Point Identification:** The plugin registers AJAX handlers in its main file or an inclusion file (e.g., `includes\u002Fclass-igms-db-ajax.php` or similar).\n * *Grep Command:* `grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Figms-direct-booking\u002F`\n2. **Handler Analysis:** For every unauthenticated AJAX action found, locate the callback function.\n * *Search Pattern:* `add_action( 'wp_ajax_nopriv_[ACTION_NAME]', [ $this, '[FUNCTION_NAME]' ] );`\n3. **Authorization Check Audit:** Inspect the identified `[FUNCTION_NAME]` for a call to `current_user_can()`. If the function modifies options or database state and lacks this check, it is vulnerable.\n * *Critical Sinks:* `update_option()`, `wp_insert_post()`, `$wpdb->insert()`, `$wpdb->update()`.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable function uses `check_ajax_referer()` or `wp_verify_nonce()`, follow this strategy:\n\n1. **Locate Nonce Creation:** Search for `wp_create_nonce` in the plugin source to find the action string.\n * *Grep:* `grep -rn \"wp_create_nonce\" wp-content\u002Fplugins\u002Figms-direct-booking\u002F`\n2. **Locate Localization:** Find where this nonce is passed to the frontend.\n * *Search:* `wp_localize_script( ... )`\n3. **Identify Trigger:** Determine which shortcode or page enqueues the script containing the nonce. Look for `add_shortcode` in the source.\n * *Shortcode Example (Inferred):* `[igms_booking_form]`\n4. **Extraction:**\n * Create a page: `wp post create --post_type=page --post_status=publish --post_content='[igms_booking_form]'`\n * Navigate to the page using `browser_navigate`.\n * Extract the nonce using `browser_eval`:\n ```javascript\n \u002F\u002F Example JS path based on typical localization\n window.igms_booking_data?.nonce || window.igms_vars?.ajax_nonce\n ```\n\n### 5. Exploitation Strategy\nOnce the vulnerable action and required parameters are identified:\n\n1. **Identify Parameters:** Look for the keys in `$_POST` used by the vulnerable function (e.g., `igms_settings`, `api_key`, `property_id`).\n2. **Craft Request:** Use the `http_request` tool to send a POST request.\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Method:** `POST`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:** `action=[VULNERABLE_ACTION]&_ajax_nonce=[NONCE]&[PARAM]=[VALUE]`\n3. **Example Target (Hypothetical):**\n If the action is `igms_save_config` and it updates the `igms_api_key` option:\n * `action=igms_save_config&api_key=EVIL_KEY_123&nonce=[EXTRACTED_NONCE]`\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure iGMS Direct Booking v1.3 is installed and active.\n2. **Identify Shortcodes:** List shortcodes to find a candidate for nonce leakage:\n * `grep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Figms-direct-booking\u002F`\n3. **Create Test Page:**\n * `wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content='[SHORTCODE_FOUND]'`\n\n### 7. Expected Results\n* **Success Indicator:** The server returns a `200 OK` response, often with a JSON body indicating success (e.g., `{\"success\": true}`).\n* **Data Impact:** Plugin settings are modified, or a new booking record is created without valid user credentials.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the change using WP-CLI:\n\n1. **Check Options:** If the exploit modified settings:\n * `wp option get igms_settings` (Verify if values match the payload).\n2. **Check Database:** If the exploit created data:\n * `wp db query \"SELECT * FROM wp_options WHERE option_name LIKE 'igms_%'\"`\n * `wp post list --post_type=igms_booking` (if bookings are CPTs).\n\n### 9. Alternative Approaches\n* **Initialization Hooks:** If no unauthenticated AJAX is found, check for `admin_init` or `init` hooks that process `$_POST` without capability checks.\n * *Search:* `grep -rn \"add_action( 'admin_init'\" wp-content\u002Fplugins\u002Figms-direct-booking\u002F`\n* **Direct Option Update:** If the plugin uses `register_setting` incorrectly without a proper `sanitize_callback` or `permission_callback`, it might be possible to update options via `options.php` (though this usually requires authentication, check for `nopriv` wrappers).\n* **REST API:** Check for registered REST routes that lack the `permission_callback` argument.\n * *Search:* `register_rest_route` in the plugin directory.","The iGMS Direct Booking plugin for WordPress is vulnerable to unauthorized access in versions up to 1.3 due to a missing capability check on AJAX handlers. This allow unauthenticated attackers to perform sensitive administrative actions, such as updating plugin settings or manipulating booking data, by sending requests to the admin-ajax.php endpoint.","\u002F\u002F wp-content\u002Fplugins\u002Figms-direct-booking\u002Figms-direct-booking.php (approximate)\n\n\u002F\u002F Action registered for both authenticated and unauthenticated users\nadd_action( 'wp_ajax_nopriv_igms_save_settings', 'igms_save_settings_callback' );\nadd_action( 'wp_ajax_igms_save_settings', 'igms_save_settings_callback' );\n\nfunction igms_save_settings_callback() {\n \u002F\u002F Function lacks a check like current_user_can('manage_options')\n if ( isset( $_POST['igms_api_key'] ) ) {\n update_option( 'igms_api_key', sanitize_text_field( $_POST['igms_api_key'] ) );\n }\n \n wp_send_json_success();\n}","--- a\u002Figms-direct-booking.php\n+++ b\u002Figms-direct-booking.php\n@@ -1,10 +1,12 @@\n-add_action( 'wp_ajax_nopriv_igms_save_settings', 'igms_save_settings_callback' );\n add_action( 'wp_ajax_igms_save_settings', 'igms_save_settings_callback' );\n \n function igms_save_settings_callback() {\n+ if ( ! current_user_can( 'manage_options' ) ) {\n+ wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+ }\n+ \n+ check_ajax_referer( 'igms_settings_nonce', 'nonce' );\n+\n if ( isset( $_POST['igms_api_key'] ) ) {\n update_option( 'igms_api_key', sanitize_text_field( $_POST['igms_api_key'] ) );\n }","The exploit targets the WordPress AJAX endpoint to perform unauthorized configuration changes. \n\n1. Target Endpoint: \u002Fwp-admin\u002Fadmin-ajax.php\n2. Vulnerable Action: Identify an AJAX action registered via wp_ajax_nopriv_ (e.g., igms_save_settings) that handles sensitive plugin options.\n3. Nonce Acquisition (if required): Visit a public page containing an iGMS shortcode (like [igms_booking_form]) to extract a localized AJAX nonce from the page source or window object scripts.\n4. Payload Delivery: Construct a POST request with the 'action' parameter set to the vulnerable hook, the extracted nonce, and the desired settings values (e.g., a malicious api_key) in the POST body.\n5. Authentication: No authentication is required for hooks registered with the 'nopriv' prefix that lack internal capability checks.","gemini-3-flash-preview","2026-04-20 22:12:47","2026-04-20 22:13:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Figms-direct-booking\u002Ftags"]