TrueBooker <= 1.1.0 - Missing Authorization
Description
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.1.0Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-67581 (TrueBooker <= 1.1.0) ## 1. Vulnerability Summary The **TrueBooker – Appointment Booking and Scheduler System** plugin (versions <= 1.1.0) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via `wp_ajax_nopriv_` fail…
Show full research plan
Exploitation Research Plan: CVE-2025-67581 (TrueBooker <= 1.1.0)
1. Vulnerability Summary
The TrueBooker – Appointment Booking and Scheduler System plugin (versions <= 1.1.0) contains a missing authorization vulnerability. Specifically, an AJAX handler registered via wp_ajax_nopriv_ fails to perform a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to trigger sensitive administrative functions, such as updating plugin settings or modifying appointment data, by sending a crafted request to admin-ajax.php.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action:
truebooker_save_settings(inferred) ortb_update_config(inferred). - Authentication: None (Unauthenticated via
wp_ajax_nopriv_). - Parameter:
action(required), likely accompanied by asettingsordataarray containing configuration keys. - Preconditions: The plugin must be active. A nonce may be required, but as a
noprivaction, this nonce is likely exposed on any page where the booking form is rendered.
3. Code Flow (Inferred)
- Registration: The plugin registers an AJAX action:
add_action( 'wp_ajax_nopriv_truebooker_save_settings', 'tb_save_settings_callback' ); - Entry Point: An unauthenticated user sends a POST request to
admin-ajax.php?action=truebooker_save_settings. - Vulnerable Function: The callback function (e.g.,
tb_save_settings_callback) is invoked. - Missing Check: The function may check a nonce using
check_ajax_refererbut fails to check if the user has administrative privileges usingcurrent_user_can. - Sink: The function proceeds to call
update_option()orupdate_post_meta()based on user-supplied input.
4. Nonce Acquisition Strategy
The plugin likely enqueues scripts for its booking interface on the frontend. We will identify the shortcode and extract the nonce.
- Identify Shortcode: Search for shortcode registrations:
grep -rn "add_shortcode" .
Expected Shortcode:[truebooker]or[tb-booking-form](inferred). - Create Trigger Page: Create a public page containing this shortcode to force the plugin to enqueue its localized scripts.
- Identify JS Variable: Look for
wp_localize_scriptin the source code to find the object name and nonce key.grep -rn "wp_localize_script" .
Common names:truebooker_obj,tb_vars, ortruebooker_data. - Extract via Browser:
- Navigate to the created page.
- Execute:
browser_eval("window.truebooker_obj?.nonce")(Replacetruebooker_objandnoncewith actual keys found during the grep step).
5. Exploitation Strategy
We will attempt to modify a critical plugin setting, such as the administrator email or a redirect URL, to prove unauthorized modification.
- Step 1: Use
ls -Randgrepto find all registeredwp_ajax_nopriv_actions in the plugin directory. - Step 2: Analyze the callback function for the most impactful action (e.g., one that updates options).
- Step 3: Perform the exploit request:
- Method: POST
- URL:
http://<target>/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Exact parameter names likeaction=truebooker_save_settings& security=[EXTRACTED_NONCE]& option_name=truebooker_admin_email& option_value=attacker@evil.comoption_namemust be verified by reading the plugin source code found in Step 1).
6. Test Data Setup
- Install Plugin: Ensure
truebooker-appointment-bookingversion 1.1.0 is installed and active. - Discovery: Run
grep -r "add_action.*wp_ajax_nopriv_"to find the vulnerable function name. - Shortcode Page:
wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[truebooker]'(Use the actual shortcode found).
7. Expected Results
- HTTP Response: A successful JSON response (e.g.,
{"success":true}) or the integer1. - Database Change: The WordPress option associated with the plugin settings will be updated to the attacker's value.
8. Verification Steps
After the HTTP request, verify the change using WP-CLI:
- Check Options:
wp option get truebooker_settings(or the specific option name identified during research). - Confirm Value: Ensure the value matches the one sent in the exploit payload.
9. Alternative Approaches
If truebooker_save_settings requires a higher privilege or is not the target:
- Alternative 1 (Data Manipulation): Look for
wp_ajax_nopriv_truebooker_cancel_appointmentortruebooker_delete_booking. Attempt to delete or modify an existing booking ID. - Alternative 2 (User Meta): Look for actions that update user profiles or metadata without checking
current_user_can( 'edit_user', $id ). - Alternative 3 (XSS via Settings): If settings can be modified, inject a script tag into a setting that is rendered on the admin dashboard (e.g.,
truebooker_business_name), leading to stored XSS.
Summary
The TrueBooker plugin for WordPress is vulnerable to unauthorized access in versions up to 1.1.0 due to the use of unauthenticated AJAX handlers (wp_ajax_nopriv_) that lack capability checks. This allows unauthenticated attackers to perform administrative actions, such as modifying plugin settings, by sending crafted requests to the WordPress AJAX endpoint.
Security Fix
@@ -45,6 +45,10 @@ public function truebooker_save_settings() { check_ajax_referer( 'truebooker_nonce', 'security' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Forbidden' ), 403 ); + } + $settings = $_POST['settings']; update_option( 'truebooker_settings', $settings ); wp_send_json_success(); }
Exploit Outline
1. Identify a public page containing the TrueBooker booking form to trigger the enqueuing of the plugin's JavaScript variables. 2. Extract the security nonce (e.g., from 'truebooker_obj.nonce') from the HTML source of the page. 3. Send an unauthenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the vulnerable callback (e.g., 'truebooker_save_settings'). 4. Pass the extracted nonce in the 'security' parameter and include custom settings in the payload to overwrite the plugin's configuration (e.g., updating the 'truebooker_admin_email' option or other administrative settings).
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.