Time Slots Booking Form <= 1.2.42 - Missing Authorization
Description
The Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.42. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.2.42What Changed in the Fix
Changes introduced in v1.2.43
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32432 ## 1. Vulnerability Summary The **WP Time Slots Booking Form** plugin (versions <= 1.2.42) is vulnerable to **Missing Authorization**. The vulnerability exists because the plugin's administrative settings processing logic, typically triggered during `ad…
Show full research plan
Exploitation Research Plan - CVE-2026-32432
1. Vulnerability Summary
The WP Time Slots Booking Form plugin (versions <= 1.2.42) is vulnerable to Missing Authorization. The vulnerability exists because the plugin's administrative settings processing logic, typically triggered during admin_init or through specific AJAX actions, lacks a current_user_can() capability check. This allows unauthenticated attackers to modify plugin settings, such as calendar names, notification emails, and form structures, by sending a crafted HTTP POST request.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.phpor/wp-admin/admin-post.php(triggersadmin_init). - HTTP Method: POST
- Parameters:
cp_tslotsbooking_post_options: A trigger parameter (fromcp-admin-int.inc.php).cp_tslotsbooking_id: The ID of the calendar/form to modify (default is1).cal: The calendar ID passed in the query string (used incp-admin-int.inc.php).form_name: The new name for the calendar (used as a PoC indicator).
- Authentication: None Required (
PR:N). - Preconditions: The plugin must be active. A calendar usually exists with ID
1by default upon installation.
Summary
The WP Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access and settings modification due to missing capability checks on administrative functions. Unauthenticated attackers can exploit this to change calendar configurations, notification emails, and even execute database schema modifications via specific trigger parameters.
Vulnerable Code
// cp-main-class.inc.php around line 1173 if ($this->get_param($this->prefix.'_encodingfix') == '1') { $wpdb->query('alter table '.$wpdb->prefix.$this->table_items.' convert to character set utf8 collate utf8_unicode_ci;'); $wpdb->query('alter table '.$wpdb->prefix.$this->table_messages.' convert to character set utf8 collate utf8_unicode_ci;'); echo 'Ok, encoding fixed.'; exit; } --- // cp-admin-int.inc.php around line 7 $current_user = wp_get_current_user(); $current_user_access = current_user_can('edit_pages'); $current_user_can_admin = current_user_can('manage_options'); if ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_option("cp_user_access",""))))) { echo 'Direct access not allowed.'; exit; }
Security Fix
@@ -161,8 +161,8 @@ qs += "&max_size="+f.cv_max_font_size.value; qs += "&noise="+f.cv_noise.value; qs += "&noiselength="+f.cv_noise_length.value; - qs += "&bcolor="+f.cv_background.value; - qs += "&border="+f.cv_border.value; + qs += "&bcolor="+f.cv_background.value.replace('#',''); + qs += "&border="+f.cv_border.value.replace('#',''); qs += "&font="+f.cv_font.options[f.cv_font.selectedIndex].value; qs += "&r="+(randcaptcha++); @@ -734,29 +734,8 @@ public function settings_page() { global $wpdb; - if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1') - { - $this->item = $this->get_param("cal"); - if (isset($_GET["edit"]) && $_GET["edit"] == '1') - @include_once dirname( __FILE__ ) . '/cp_admin_int_edition.inc.php'; - else if ($this->get_param("schedule") == '1') - @include_once dirname( __FILE__ ) . '/cp-admin-int-schedule.inc.php'; - else if ($this->get_param("list") == '1') - @include_once dirname( __FILE__ ) . '/cp-admin-int-message-list.inc.php'; - else if ($this->get_param("report") == '1') - @include_once dirname( __FILE__ ) . '/cp-admin-int-report.inc.php'; - else if ($this->get_param("addbk") == '1') - @include_once dirname( __FILE__ ) . '/cp-admin-int-add-booking.inc.php'; - else if ($this->get_param("pwizard") == '1') - { - if ($this->get_param("cal")) - $this->item = intval($this->get_param("cal")); - @include_once dirname( __FILE__ ) . '/cp-publish-wizzard.inc.php'; - } - else - @include_once dirname( __FILE__ ) . '/cp-admin-int.inc.php'; - } - else if ($this->get_param("page") == $this->menu_parameter.'_csseditor_page') + + if ($this->get_param("page") == $this->menu_parameter.'_csseditor_page') @include_once dirname( __FILE__ ) . '/csseditor.inc.php'; else if ($this->get_param("page") == $this->menu_parameter.'_upgrade') { @@ -780,6 +759,28 @@ else if ($this->get_param("page") == $this->menu_parameter.'_addons') { @include_once dirname( __FILE__ ) . '/cp-addons.inc.php'; + } + else if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1') + { + $this->item = $this->get_param("cal"); + if (isset($_GET["edit"]) && $_GET["edit"] == '1') + @include_once dirname( __FILE__ ) . '/cp_admin_int_edition.inc.php'; + else if ($this->get_param("schedule") == '1') + @include_once dirname( __FILE__ ) . '/cp-admin-int-schedule.inc.php'; + else if ($this->get_param("list") == '1') + @include_once dirname( __FILE__ ) . '/cp-admin-int-message-list.inc.php'; + else if ($this->get_param("report") == '1') + @include_once dirname( __FILE__ ) . '/cp-admin-int-report.inc.php'; + else if ($this->get_param("addbk") == '1') + @include_once dirname( __FILE__ ) . '/cp-admin-int-add-booking.inc.php'; + else if ($this->get_param("pwizard") == '1') + { + if ($this->get_param("cal")) + $this->item = intval($this->get_param("cal")); + @include_once dirname( __FILE__ ) . '/cp-publish-wizzard.inc.php'; + } + else + @include_once dirname( __FILE__ ) . '/cp-admin-int.inc.php'; } else @include_once dirname( __FILE__ ) . '/cp-admin-int-list.inc.php'; @@ -1173,14 +1174,6 @@ $this->check_reports(); - if ($this->get_param($this->prefix.'_encodingfix') == '1') - { - $wpdb->query('alter table '.$wpdb->prefix.$this->table_items.' convert to character set utf8 collate utf8_unicode_ci;'); - $wpdb->query('alter table '.$wpdb->prefix.$this->table_messages.' convert to character set utf8 collate utf8_unicode_ci;'); - echo 'Ok, encoding fixed.'; - exit; - } - if ($this->get_param($this->prefix.'_captcha') == 'captcha' ) { @include_once dirname( __FILE__ ) . '/captcha/captcha.php';
Exploit Outline
The exploit targets unauthenticated endpoints such as /wp-admin/admin-post.php or /wp-admin/admin-ajax.php. By sending a POST request containing specific plugin-defined parameters (e.g., cp_tslotsbooking_post_options=1 for settings or cp_tslotsbooking_encodingfix=1 for DB schema changes), an attacker can bypass authorization logic. For settings modification, the attacker identifies a valid calendar ID (default is 1) and includes POST parameters corresponding to configuration fields like 'form_name' or 'fp_destination_emails'. Since the plugin processes these options during core initialization hooks without verifying the user's capabilities, the changes are applied immediately.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.