CVE-2025-67581

TrueBooker <= 1.1.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.1.1
Patched in
6d
Time to patch

Description

The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1.0
PublishedDecember 15, 2025
Last updatedDecember 20, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-67581 (TrueBooker <= 1.1.0) ## 1. Vulnerability Summary The **TrueBooker – Appointment Booking and Scheduler System** plugin (versions <= 1.1.0) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_nopriv_` fail…

Show full research plan

Exploitation Research Plan: CVE-2025-67581 (TrueBooker <= 1.1.0)

1. Vulnerability Summary

The TrueBooker – Appointment Booking and Scheduler System plugin (versions <= 1.1.0) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_nopriv_ fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to trigger sensitive administrative functions, such as updating plugin settings or modifying appointment data, by sending a crafted request to admin-ajax.php.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: truebooker_save_settings (inferred) or tb_update_config (inferred).
  • Authentication: None (Unauthenticated via wp_ajax_nopriv_).
  • Parameter: action (required), likely accompanied by a settings or data array containing configuration keys.
  • Preconditions: The plugin must be active. A nonce may be required, but as a nopriv action, this nonce is likely exposed on any page where the booking form is rendered.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX action:
    add_action( 'wp_ajax_nopriv_truebooker_save_settings', 'tb_save_settings_callback' );
  2. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php?action=truebooker_save_settings.
  3. Vulnerable Function: The callback function (e.g., tb_save_settings_callback) is invoked.
  4. Missing Check: The function may check a nonce using check_ajax_referer but fails to check if the user has administrative privileges using current_user_can.
  5. Sink: The function proceeds to call update_option() or update_post_meta() based on user-supplied input.

4. Nonce Acquisition Strategy

The plugin likely enqueues scripts for its booking interface on the frontend. We will identify the shortcode and extract the nonce.

  1. Identify Shortcode: Search for shortcode registrations:
    grep -rn "add_shortcode" .
    Expected Shortcode: [truebooker] or [tb-booking-form] (inferred).
  2. Create Trigger Page: Create a public page containing this shortcode to force the plugin to enqueue its localized scripts.
  3. Identify JS Variable: Look for wp_localize_script in the source code to find the object name and nonce key.
    grep -rn "wp_localize_script" .
    Common names: truebooker_obj, tb_vars, or truebooker_data.
  4. Extract via Browser:
    • Navigate to the created page.
    • Execute: browser_eval("window.truebooker_obj?.nonce") (Replace truebooker_obj and nonce with actual keys found during the grep step).

5. Exploitation Strategy

We will attempt to modify a critical plugin setting, such as the administrator email or a redirect URL, to prove unauthorized modification.

  • Step 1: Use ls -R and grep to find all registered wp_ajax_nopriv_ actions in the plugin directory.
  • Step 2: Analyze the callback function for the most impactful action (e.g., one that updates options).
  • Step 3: Perform the exploit request:
    • Method: POST
    • URL: http://<target>/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=truebooker_save_settings&
      security=[EXTRACTED_NONCE]&
      option_name=truebooker_admin_email&
      option_value=attacker@evil.com
      
      (Note: Exact parameter names like option_name must be verified by reading the plugin source code found in Step 1).

6. Test Data Setup

  1. Install Plugin: Ensure truebooker-appointment-booking version 1.1.0 is installed and active.
  2. Discovery: Run grep -r "add_action.*wp_ajax_nopriv_" to find the vulnerable function name.
  3. Shortcode Page:
    wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[truebooker]' (Use the actual shortcode found).

7. Expected Results

  • HTTP Response: A successful JSON response (e.g., {"success":true}) or the integer 1.
  • Database Change: The WordPress option associated with the plugin settings will be updated to the attacker's value.

8. Verification Steps

After the HTTP request, verify the change using WP-CLI:

  1. Check Options: wp option get truebooker_settings (or the specific option name identified during research).
  2. Confirm Value: Ensure the value matches the one sent in the exploit payload.

9. Alternative Approaches

If truebooker_save_settings requires a higher privilege or is not the target:

  • Alternative 1 (Data Manipulation): Look for wp_ajax_nopriv_truebooker_cancel_appointment or truebooker_delete_booking. Attempt to delete or modify an existing booking ID.
  • Alternative 2 (User Meta): Look for actions that update user profiles or metadata without checking current_user_can( 'edit_user', $id ).
  • Alternative 3 (XSS via Settings): If settings can be modified, inject a script tag into a setting that is rendered on the admin dashboard (e.g., truebooker_business_name), leading to stored XSS.
Research Findings
Static analysis — not yet PoC-verified

Summary

The TrueBooker plugin for WordPress is vulnerable to unauthorized access in versions up to 1.1.0 due to the use of unauthenticated AJAX handlers (wp_ajax_nopriv_) that lack capability checks. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings, by sending crafted requests to the WordPress AJAX endpoint.

Security Fix

--- a/includes/class-ajax.php
+++ b/includes/class-ajax.php
@@ -45,6 +45,10 @@
 	public function truebooker_save_settings() {
 		check_ajax_referer( 'truebooker_nonce', 'security' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );
+		}
+
 		$settings = $_POST['settings'];
 		update_option( 'truebooker_settings', $settings );
 		wp_send_json_success();
	}

Exploit Outline

1. Identify a public page containing the TrueBooker booking form to trigger the enqueuing of the plugin's JavaScript variables. 2. Extract the security nonce (e.g., from 'truebooker_obj.nonce') from the HTML source of the page. 3. Send an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., 'truebooker_save_settings'). 4. Pass the extracted nonce in the 'security' parameter and include custom settings in the payload to overwrite the plugin's configuration (e.g., updating the 'truebooker_admin_email' option or other administrative settings).

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.