[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUHsO4Bz16mDdIQecw3TgGgpKYVzHHaFRGhid2EawNro":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32432","time-slots-booking-form-missing-authorization-2","Time Slots Booking Form \u003C= 1.2.42 - Missing Authorization","The Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.42. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-time-slots-booking-form",null,"\u003C=1.2.42","1.2.43","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-02 00:00:00","2026-04-15 21:18:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd2d50c64-f4e2-4a5a-b37f-bbb636ee468d?source=api-prod",45,[22,23,24,25],"README.txt","cp-admin-int.inc.php","cp-main-class.inc.php","wp-time-slots-booking-plugin.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32432\n\n## 1. Vulnerability Summary\nThe **WP Time Slots Booking Form** plugin (versions \u003C= 1.2.42) is vulnerable to **Missing Authorization**. The vulnerability exists because the plugin's administrative settings processing logic, typically triggered during `admin_init` or through specific AJAX actions, lacks a `current_user_can()` capability check. This allows unauthenticated attackers to modify plugin settings, such as calendar names, notification emails, and form structures, by sending a crafted HTTP POST request.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` or `\u002Fwp-admin\u002Fadmin-post.php` (triggers `admin_init`).\n- **HTTP Method**: POST\n- **Parameters**: \n    - `cp_tslotsbooking_post_options`: A trigger parameter (from `cp-admin-int.inc.php`).\n    - `cp_tslotsbooking_id`: The ID of the calendar\u002Fform to modify (default is `1`).\n    - `cal`: The calendar ID passed in the query string (used in `cp-admin-int.inc.php`).\n    - `form_name`: The new name for the calendar (used as a PoC indicator).\n- **Authentication**: None Required (`PR:N`).\n- **Preconditions**: The plugin must be active. A calendar usually exists with ID `1` by default upon installation.\n\n##","The WP Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access and settings modification due to missing capability checks on administrative functions. Unauthenticated attackers can exploit this to change calendar configurations, notification emails, and even execute database schema modifications via specific trigger parameters.","\u002F\u002F cp-main-class.inc.php around line 1173\nif ($this->get_param($this->prefix.'_encodingfix') == '1')\n{\n    $wpdb->query('alter table '.$wpdb->prefix.$this->table_items.' convert to character set utf8 collate utf8_unicode_ci;');\n    $wpdb->query('alter table '.$wpdb->prefix.$this->table_messages.' convert to character set utf8 collate utf8_unicode_ci;');\n    echo 'Ok, encoding fixed.';\n    exit;\n}\n\n---\n\n\u002F\u002F cp-admin-int.inc.php around line 7\n$current_user = wp_get_current_user();\n$current_user_access = current_user_can('edit_pages');\n$current_user_can_admin = current_user_can('manage_options');\n\nif ( !is_admin() || (!$current_user_access && !@in_array($current_user->ID, unserialize($this->get_option(\"cp_user_access\",\"\")))))\n{\n    echo 'Direct access not allowed.';\n    exit;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.42\u002Fcp-admin-int.inc.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.43\u002Fcp-admin-int.inc.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.42\u002Fcp-admin-int.inc.php\t2026-02-03 14:45:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.43\u002Fcp-admin-int.inc.php\t2026-02-16 17:18:48.000000000 +0000\n@@ -161,8 +161,8 @@\n                qs += \"&max_size=\"+f.cv_max_font_size.value;\n                qs += \"&noise=\"+f.cv_noise.value;\n                qs += \"&noiselength=\"+f.cv_noise_length.value;\n-               qs += \"&bcolor=\"+f.cv_background.value;\n-               qs += \"&border=\"+f.cv_border.value;\n+               qs += \"&bcolor=\"+f.cv_background.value.replace('#','');\n+               qs += \"&border=\"+f.cv_border.value.replace('#','');\n                qs += \"&font=\"+f.cv_font.options[f.cv_font.selectedIndex].value;\n                qs += \"&r=\"+(randcaptcha++);\n                \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.42\u002Fcp-main-class.inc.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.43\u002Fcp-main-class.inc.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.42\u002Fcp-main-class.inc.php\t2026-02-03 14:45:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-time-slots-booking-form\u002F1.2.43\u002Fcp-main-class.inc.php\t2026-02-16 17:18:48.000000000 +0000\n@@ -734,29 +734,8 @@\n \n     public function settings_page() {\n         global $wpdb;\n-        if ($this->get_param(\"cal\") || $this->get_param(\"cal\") == '0' || $this->get_param(\"pwizard\") == '1')\n-        {\n-            $this->item = $this->get_param(\"cal\");\n-            if (isset($_GET[\"edit\"]) && $_GET[\"edit\"] == '1')\n-                @include_once dirname( __FILE__ ) . '\u002Fcp_admin_int_edition.inc.php';\n-            else if ($this->get_param(\"schedule\") == '1')\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-schedule.inc.php';\n-            else if ($this->get_param(\"list\") == '1')\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-message-list.inc.php';\n-            else if ($this->get_param(\"report\") == '1')\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-report.inc.php';\n-            else if ($this->get_param(\"addbk\") == '1')\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-add-booking.inc.php';\n-            else if ($this->get_param(\"pwizard\") == '1')\n-            {\n-                if ($this->get_param(\"cal\"))\n-                    $this->item = intval($this->get_param(\"cal\"));\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-publish-wizzard.inc.php';\n-            }\n-            else\n-                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int.inc.php';\n-        }\n-        else if ($this->get_param(\"page\") == $this->menu_parameter.'_csseditor_page')\n+        \n+        if ($this->get_param(\"page\") == $this->menu_parameter.'_csseditor_page')\n             @include_once dirname( __FILE__ ) . '\u002Fcsseditor.inc.php';           \n         else if ($this->get_param(\"page\") == $this->menu_parameter.'_upgrade')\n         {\n@@ -780,6 +759,28 @@\n         else if ($this->get_param(\"page\") == $this->menu_parameter.'_addons')\n         {\n             @include_once dirname( __FILE__ ) . '\u002Fcp-addons.inc.php';\n+        } \n+        else if ($this->get_param(\"cal\") || $this->get_param(\"cal\") == '0' || $this->get_param(\"pwizard\") == '1')\n+        {\n+            $this->item = $this->get_param(\"cal\");\n+            if (isset($_GET[\"edit\"]) && $_GET[\"edit\"] == '1')\n+                @include_once dirname( __FILE__ ) . '\u002Fcp_admin_int_edition.inc.php';\n+            else if ($this->get_param(\"schedule\") == '1')\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-schedule.inc.php';\n+            else if ($this->get_param(\"list\") == '1')\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-message-list.inc.php';\n+            else if ($this->get_param(\"report\") == '1')\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-report.inc.php';\n+            else if ($this->get_param(\"addbk\") == '1')\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-add-booking.inc.php';\n+            else if ($this->get_param(\"pwizard\") == '1')\n+            {\n+                if ($this->get_param(\"cal\"))\n+                    $this->item = intval($this->get_param(\"cal\"));\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-publish-wizzard.inc.php';\n+            }\n+            else\n+                @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int.inc.php';\n         }\n         else\n             @include_once dirname( __FILE__ ) . '\u002Fcp-admin-int-list.inc.php';\n@@ -1173,14 +1174,6 @@\n \n         $this->check_reports();\n \n-        if ($this->get_param($this->prefix.'_encodingfix') == '1')\n-        {\n-            $wpdb->query('alter table '.$wpdb->prefix.$this->table_items.' convert to character set utf8 collate utf8_unicode_ci;');\n-            $wpdb->query('alter table '.$wpdb->prefix.$this->table_messages.' convert to character set utf8 collate utf8_unicode_ci;');\n-            echo 'Ok, encoding fixed.';\n-            exit;\n-        }\n-\n         if ($this->get_param($this->prefix.'_captcha') == 'captcha' )\n         {\n             @include_once dirname( __FILE__ ) . '\u002Fcaptcha\u002Fcaptcha.php';","The exploit targets unauthenticated endpoints such as \u002Fwp-admin\u002Fadmin-post.php or \u002Fwp-admin\u002Fadmin-ajax.php. By sending a POST request containing specific plugin-defined parameters (e.g., cp_tslotsbooking_post_options=1 for settings or cp_tslotsbooking_encodingfix=1 for DB schema changes), an attacker can bypass authorization logic. For settings modification, the attacker identifies a valid calendar ID (default is 1) and includes POST parameters corresponding to configuration fields like 'form_name' or 'fp_destination_emails'. Since the plugin processes these options during core initialization hooks without verifying the user's capabilities, the changes are applied immediately.","gemini-3-flash-preview","2026-04-18 22:07:36","2026-04-18 22:08:52",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.2.42","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-time-slots-booking-form\u002Ftags\u002F1.2.42","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-time-slots-booking-form.1.2.42.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-time-slots-booking-form\u002Ftags\u002F1.2.43","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-time-slots-booking-form.1.2.43.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-time-slots-booking-form\u002Ftags"]