[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZOQltU-HZAKGqA0KEoU0nDsJGXw9MvCFXaQHAFl8BQY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-40768","salon-booking-system-free-version-unauthenticated-insecure-direct-object-reference","Salon Booking System – Free Version \u003C= 10.30.24 - Unauthenticated Insecure Direct Object Reference","The Salon Booking System – Free Version plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.30.24 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.","salon-booking-system",null,"\u003C=10.30.24","10.30.25","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-04-21 00:00:00","2026-04-30 15:08:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F94fc7e20-0fd1-4a10-b821-e5aba4512f3f?source=api-prod",10,[],"researched",false,3,"This research plan outlines the process for analyzing and exploiting **CVE-2026-40768**, an Insecure Direct Object Reference (IDOR) in the **Salon Booking System** plugin.\n\n### 1. Vulnerability Summary\nThe **Salon Booking System – Free Version** (up to 10.30.24) fails to adequately validate ownership or authorization when processing certain booking-related actions through unauthenticated AJAX endpoints. Specifically, the vulnerability allows an unauthenticated user to perform actions (likely cancellation or modification) on any booking record by supplying its ID, as the \"user-controlled key\" (token or ID) is not properly verified against the session or the specific object.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `sln_cancel_reservation` (inferred primary target) or potentially `sln_update_booking_status`.\n*   **Vulnerable Hooks:** `wp_ajax_nopriv_sln_cancel_reservation` or `wp_ajax_nopriv_sln_booking_cancel`.\n*   **Payload Parameter:** `id` (The booking ID) and potentially a dummy or missing `token`.\n*   **Authentication:** Unauthenticated (No login required).\n*   **Preconditions:** A booking must exist in the system.\n\n### 3. Code Flow\n1.  The plugin registers unauthenticated AJAX handlers in its main initialization (likely in `src\u002FSLN\u002FAction\u002FAjax.php` or `src\u002FSLN\u002FHook\u002FAjax.php`).\n2.  An unauthenticated request triggers a callback such as `SLN_Action_Ajax_CancelReservation::execute()` or `sln_cancel_reservation()`.\n3.  The code retrieves the booking ID from `$_POST['id']` or `$_GET['id']`.\n4.  **The Flaw:** The code checks for the existence of a `token` or `key` parameter but fails to verify that this token is cryptographically tied to that specific `booking_id` or the current requester’s session. \n5.  The system calls `$booking->cancel()` or updates the post status of the booking ID provided by the attacker.\n\n### 4. Nonce Acquisition Strategy\nWhile many `nopriv` actions in this plugin require a nonce for basic CSRF protection, the IDOR itself bypasses the logic intended to ensure the *right* user is acting on the *right* booking.\n\n1.  **Identify Trigger:** The plugin enqueues its AJAX scripts on pages containing the booking form shortcode: `[salonbooking]`.\n2.  **Setup Page:** Create a public page with the shortcode:\n    `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content='[salonbooking]'`\n3.  **Navigate:** Use `browser_navigate` to visit the newly created page.\n4.  **Extract Nonce:** The plugin localizes its configuration in a global JS object.\n    *   **Inferred JS Variable:** `SLN_JS` or `salon_booking_vars`.\n    *   **Extraction Command:** `browser_eval(\"window.SLN_JS?.nonce || window.salon_booking_vars?.nonce\")`.\n\n### 5. Exploitation Strategy\nThe goal is to cancel a booking belonging to another user (or a test booking) without possessing the legitimate secret token usually sent in confirmation emails.\n\n**Request Template:**\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** \n    ```\n    action=sln_cancel_reservation&id=[TARGET_BOOKING_ID]&nonce=[EXTRACTED_NONCE]\n    ```\n    *(Note: If a `token` parameter is required by the code but not validated, add `&token=invalid` or `&token=`)*.\n\n**Steps:**\n1.  **Enumerate IDs:** Determine a valid booking ID (e.g., ID 1, 2, or 100).\n2.  **Send Request:** Execute the `http_request` tool with the parameters above.\n3.  **Analyze Response:** A successful exploit will typically return a JSON response: `{\"status\":\"success\"}` or `1`.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `salon-booking-system` version `10.30.24` is active.\n2.  **Create a Booking:** \n    *   Use the `wp post create` command to create a `sln_booking` post type entry (the internal post type name might be `sln_reservation` or `booking` - verify with `wp post-type list`).\n    *   Alternatively, use the frontend booking form to create a \"target\" booking.\n3.  **Verify Target:** Note the ID of the created booking: `wp post list --post_type=sln_booking`.\n\n### 7. Expected Results\n*   **Successful Exploitation:** The booking status in the database changes from `confirmed` or `pending` to `cancelled`.\n*   **Response Content:** The AJAX endpoint returns a success indicator without requiring the unique per-booking token that is normally required for guest cancellations.\n\n### 8. Verification Steps\n1.  **Check Post Status:** \n    `wp post get [TARGET_BOOKING_ID] --field=post_status`\n    (Expected: `cancelled` or the plugin's internal equivalent).\n2.  **Check Meta:**\n    `wp post meta get [TARGET_BOOKING_ID] status` \n    (The plugin often stores its own status in meta).\n\n### 9. Alternative Approaches\nIf `sln_cancel_reservation` is not the vulnerable action, investigate:\n*   **`sln_get_booking_details`**: Check if it allows unauthenticated viewing of customer names\u002Femails\u002Fphones by IDOR.\n*   **`sln_save_customer_note`**: Check if an attacker can append notes to any booking ID.\n*   **Search for `wp_ajax_nopriv`**:\n    `grep -rn \"wp_ajax_nopriv\" .` in the plugin directory to find all unauthenticated entry points and test each for an `id` or `booking_id` parameter that lacks ownership verification.","The Salon Booking System plugin for WordPress is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) in its AJAX handlers. This allows attackers to perform unauthorized actions, such as cancelling any booking, by providing a target booking ID without the system properly validating ownership or the associated secret token.","To exploit this vulnerability, an attacker first identifies a target booking ID. They then obtain a valid AJAX nonce by visiting a public page containing the [salonbooking] shortcode and extracting the 'nonce' value from the 'SLN_JS' or 'salon_booking_vars' JavaScript object. Finally, they send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'sln_cancel_reservation', the target booking 'id', and the nonce. The server performs the action because it fails to verify that the provided (or missing) token matches the specific booking.","gemini-3-flash-preview","2026-05-04 19:15:16","2026-05-04 19:15:39",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","10.30.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsalon-booking-system\u002Ftags\u002F10.30.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsalon-booking-system.10.30.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsalon-booking-system\u002Ftags"]