[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUe9q4DjTHLdHCO-LKWurWu7vkSpQ4tN2QgILBpoKNyY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8684","motopress-hotel-booking-missing-authorization-to-unauthenticated-arbitrary-booking-notes-modification-via-mphbupdatebook","MotoPress Hotel Booking \u003C= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action","The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.","motopress-hotel-booking-lite",null,"\u003C=6.0.1","6.0.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-21 19:21:36","2026-05-22 07:50:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6567e63c-3129-47b2-a734-733eb599821a?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin.css","assets\u002Fcss\u002Fadmin.min.css","assets\u002Fcss\u002Fmphb.css","assets\u002Fcss\u002Fmphb.min.css","assets\u002Fjs\u002Fpublic\u002Fmphb.js","assets\u002Fjs\u002Fpublic\u002Fmphb.min.js","functions.php","includes\u002Fadmin\u002Fedit-cpt-pages\u002Fbooking-edit-cpt-page.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-8684\n\n## 1. Vulnerability Summary\nThe **MotoPress Hotel Booking** plugin for WordPress (versions \u003C= 6.0.1) contains a missing authorization vulnerability in its AJAX handling logic. The plugin registers an AJAX action `mphb_update_booking_notes` intended for administrative use to update internal booking notes. However, it fails to perform a capability check (e.g., `current_user_can( 'edit_post', $booking_id )`) within the handler. \n\nFurthermore, the nonce required to validate this AJAX request is localized to the frontend on every public page via `wp_localize_script` under the `MPHB._data.nonces` object. This combination allows unauthenticated attackers to obtain a valid nonce and modify the `_mphb_booking_internal_notes` meta field for any arbitrary booking ID.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `mphb_update_booking_notes`\n*   **Authentication Required:** None (Unauthenticated).\n*   **Vulnerable Parameter(s):**\n    *   `bookingId`: The ID of the target booking.\n    *   `notes`: The new string content for the internal notes.\n    *   `nonce`: The security token leaked in the frontend.\n*   **Preconditions:**\n    *   The plugin must be active.\n    *   At least one booking (post type `mphb_booking`) must exist in the system.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the AJAX handler for both authenticated and unauthenticated users (inferred from the \"Unauthenticated\" status in the CVE description):\n    *   `add_action( 'wp_ajax_mphb_update_booking_notes', ... )`\n    *   `add_action( 'wp_ajax_nopriv_mphb_update_booking_notes', ... )`\n2.  **Nonce Exposure:** On public-facing pages, the plugin calls `wp_localize_script`, which outputs the following in the HTML source:\n    ```javascript\n    var MPHB = {\"_data\": {\"nonces\": {\"update_booking_notes\": \"...\"}}};\n    ```\n3.  **Request Handling:** When a request is sent to `admin-ajax.php` with `action=mphb_update_booking_notes`:\n    *   The handler verifies the `nonce` using `check_ajax_referer( 'mphb_update_booking_notes', 'nonce' )`.\n    *   **The Bug:** The handler proceeds to `update_post_meta( $bookingId, '_mphb_booking_internal_notes', $notes )` without checking if the requester has the `edit_posts` capability or is the owner of the booking.\n\n## 4. Nonce Acquisition Strategy\nNonces are user-bound. For an unauthenticated attacker, the nonce is generated for User ID `0`. This nonce is valid for any visitor sharing the same session context (unauthenticated).\n\n1.  **Navigate** to the WordPress homepage where MotoPress scripts are loaded.\n2.  **Extract** the nonce using the `browser_eval` tool:\n    *   Script: `window.MPHB?._data?.nonces?.update_booking_notes`\n3.  **Verification:** If the key name differs, use `browser_eval(\"JSON.stringify(window.MPHB._data.nonces)\")` to inspect all available nonces.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan\n1.  **Discovery:** Locate a valid booking ID (e.g., via brute-force or if IDs are exposed in other frontend elements).\n2.  **Nonce Retrieval:** Use Playwright to visit the site and extract the `update_booking_notes` nonce.\n3.  **Execution:** Send a crafted `POST` request to `admin-ajax.php`.\n\n### Payload (HTTP Request)\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=mphb_update_booking_notes&nonce=[EXTRACTED_NONCE]&bookingId=[TARGET_ID]&notes=VULNERABILITY_CONFIRMED_INTERNAL_NOTES_OVERWRITTEN\n```\n\n## 6. Test Data Setup\nTo verify the exploit in a test environment:\n1.  **Create a Booking:**\n    ```bash\n    # Create a booking post\n    BOOKING_ID=$(wp post create --post_type=mphb_booking --post_title=\"Target Booking\" --post_status=confirmed --porcelain)\n    \n    # Add initial internal notes\n    wp post meta update $BOOKING_ID _mphb_booking_internal_notes \"Private administrative note - DO NOT LEAK\"\n    ```\n2.  **Ensure Script Localization:** Ensure the MotoPress scripts are enqueued (usually automatic on the homepage if the plugin is active).\n\n## 7. Expected Results\n*   **Response:** The server should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   **Database Change:** The metadata `_mphb_booking_internal_notes` for the target `BOOKING_ID` will be updated to the attacker-supplied string.\n\n## 8. Verification Steps\nAfter the `http_request`, use WP-CLI to confirm the state change:\n```bash\n# Check if the internal note has been modified\nwp post meta get [BOOKING_ID] _mphb_booking_internal_notes\n```\nIf the command returns `VULNERABILITY_CONFIRMED_INTERNAL_NOTES_OVERWRITTEN`, the exploitation is successful.\n\n## 9. Alternative Approaches\n*   **Parameter Guessing:** If `bookingId` is not the correct parameter name, common alternatives in MotoPress are `id`, `post_id`, or `booking_id`.\n*   **Deletion:** If the `notes` parameter is omitted or sent empty, the exploit may result in the deletion of existing internal notes, fulfilling the \"overwrite or delete\" description in the CVE.\n*   **Blind Verification:** If you cannot access WP-CLI, try to view the booking in the WP-Admin dashboard (if you have a low-privileged account) to see if the notes changed in the \"Logs\" or \"Booking Details\" metaboxes defined in `includes\u002Fadmin\u002Fedit-cpt-pages\u002Fbooking-edit-cpt-page.php`.","The MotoPress Hotel Booking plugin (\u003C= 6.0.1) lacks a capability check in its `mphb_update_booking_notes` AJAX action handler, allowing unauthenticated users to modify internal booking metadata. A valid nonce for this action is leaked to all site visitors via localized scripts on public pages, enabling arbitrary modification of administrative notes.","\u002F\u002F The handler lacks authorization checks before updating metadata\n\u002F\u002F Likely located in an AJAX controller file\n\npublic function updateBookingNotes() {\n    \u002F\u002F Nonce is verified, but this is insufficient as it is leaked to unauthenticated users\n    check_ajax_referer( 'mphb_update_booking_notes', 'nonce' );\n\n    $bookingId = isset( $_POST['bookingId'] ) ? (int) $_POST['bookingId'] : 0;\n    $notes     = isset( $_POST['notes'] ) ? sanitize_text_field( $_POST['notes'] ) : '';\n\n    \u002F\u002F Missing: if ( ! current_user_can( 'edit_post', $bookingId ) ) { wp_die(); }\n\n    update_post_meta( $bookingId, '_mphb_booking_internal_notes', $notes );\n\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fajax\u002Fajax-handler.php\n+++ b\u002Fincludes\u002Fajax\u002Fajax-handler.php\n@@ -124,6 +124,10 @@\n \tpublic function updateBookingNotes() {\n \t\tcheck_ajax_referer( 'mphb_update_booking_notes', 'nonce' );\n \n+\t\tif ( ! current_user_can( 'manage_bookings' ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n \t\t$bookingId = isset( $_POST['bookingId'] ) ? (int) $_POST['bookingId'] : 0;\n \t\t$notes     = isset( $_POST['notes'] ) ? sanitize_text_field( $_POST['notes'] ) : '';","The exploit targets the AJAX endpoint using a leaked nonce from the frontend. \n1. An unauthenticated attacker visits the target WordPress site's homepage and extracts the security nonce from the global JavaScript object `MPHB._data.nonces.update_booking_notes`.\n2. The attacker identifies a target Booking ID (typically via numeric brute-force or data leaked in other components).\n3. The attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters: `action=mphb_update_booking_notes`, `nonce` (the extracted token), `bookingId` (the target), and `notes` (the payload string).\n4. The server processes the request and overwrites the sensitive `_mphb_booking_internal_notes` meta field with the attacker's content without verifying the attacker's permissions.","gemini-3-flash-preview","2026-06-04 21:56:53","2026-06-04 21:57:52",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotopress-hotel-booking-lite\u002Ftags\u002F6.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotopress-hotel-booking-lite.6.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotopress-hotel-booking-lite\u002Ftags\u002F6.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmotopress-hotel-booking-lite.6.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmotopress-hotel-booking-lite\u002Ftags"]