[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiAZCBnSIyPINxPHxux_at_CPY4Zt6eXMyJZlghC469g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39663","truebooker-missing-authorization-2","TrueBooker \u003C= 1.1.6 - Missing Authorization","The TrueBooker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","truebooker-appointment-booking",null,"\u003C=1.1.6","1.1.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-24 19:44:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbc36c9e4-5f6d-4cb8-85b3-f02e00b6d3cb?source=api-prod",66,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39663 (TrueBooker Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **TrueBooker – Appointment Booking and Scheduler System** plugin (\u003C= 1.1.5) contains a missing authorization vulnerability. This occurs when an AJAX handler is registered via `wp_ajax_nopriv_` (making it accessible to unauthenticated users) or `wp_ajax_` (accessible to any logged-in user), but the callback function fails to perform a capability check (e.g., `current_user_can('manage_options')`). \n\nThis allows an unauthenticated attacker to execute administrative actions, such as modifying plugin settings, deleting bookings, or potentially altering WordPress site options if the plugin uses a generic settings-saving function.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **HTTP Method**: `POST`\n- **Action**: (Inferred) `truebooker_save_settings`, `truebooker_update_options`, or `truebooker_delete_booking`.\n- **Payload Parameters**:\n  - `action`: The vulnerable AJAX action string.\n  - `nonce`: A security nonce (if required).\n  - `settings_data` or specific keys: The data to be modified.\n- **Preconditions**: The plugin must be active. A valid nonce may be required if the `nopriv` handler still verifies nonces but is exposed on the frontend.\n\n## 3. Code Flow\n1. **Entry Point**: The plugin registers a handler in its main class or an AJAX handler class (likely `includes\u002Fclass-truebooker-ajax.php` or similar).\n   - Hook: `add_action('wp_ajax_nopriv_[ACTION_NAME]', 'callback_function');`\n2. **Missing Check**: The `callback_function` proceeds to call functions like `update_option()` or `$wpdb->delete()` without verifying the user's identity or capabilities via `current_user_can()`.\n3. **Execution**: The attacker's input is processed, leading to unauthorized modification of the site state.\n\n## 4. Nonce Acquisition Strategy\nIf the vulnerable handler uses `check_ajax_referer` or `wp_verify_nonce`, we must acquire a nonce valid for user ID `0`.\n\n1. **Locate Script Localization**: Search for `wp_localize_script` in the plugin code to find where the nonce is exposed.\n   - **Grep Command**: `grep -rn \"wp_localize_script\" .`\n   - **Expected Variable (Inferred)**: `truebooker_obj` or `tb_params`.\n   - **Expected Key (Inferred)**: `nonce`.\n2. **Identify Triggering Shortcode**: Find the shortcode that enqueues the frontend scripts.\n   - **Grep Command**: `grep -rn \"add_shortcode\" .`\n   - **Likely Shortcode**: `[truebooker_booking_form]` or `[truebooker]`.\n3. **Page Creation**:\n   - `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content='[truebooker_booking_form]'`\n4. **Extraction**:\n   - Navigate to the new page.\n   - Use `browser_eval` to extract: `window.truebooker_obj?.nonce` (inferred key).\n\n## 5. Exploitation Strategy\nWe will attempt to perform an unauthorized setting update.\n\n### Step 1: Identification\nSearch the plugin files for `wp_ajax_nopriv` hooks that perform sensitive actions.\n```bash\ngrep -rn \"wp_ajax_nopriv_\" .\n```\nLook for actions like `truebooker_save_settings`. Verify if the callback function lacks `current_user_can`.\n\n### Step 2: Payload Construction\nAssuming the action is `truebooker_save_settings` and it updates the `truebooker_settings` option.\n\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Payload**:\n  ```text\n  action=truebooker_save_settings&nonce=[EXTRACTED_NONCE]&settings[allow_registration]=1&settings[admin_email]=attacker@example.com\n  ```\n\n### Step 3: Execution\nUse the `http_request` tool to send the payload.\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure TrueBooker version \u003C= 1.1.5 is active.\n2. **Create Frontend Page**: Create a page with the booking shortcode to ensure nonces (if any) are generated and accessible.\n3. **Check Current State**: Use `wp option get truebooker_settings` to record the current state.\n\n## 7. Expected Results\n- **Response**: The server returns a `200 OK` and likely a JSON success message like `{\"success\": true}` or `1`.\n- **Outcome**: The plugin's internal settings are updated despite the request being unauthenticated.\n\n## 8. Verification Steps\n1. **Verify via WP-CLI**:\n   ```bash\n   wp option get truebooker_settings\n   ```\n   Check if the values match the payload sent in the exploit.\n2. **Verify Side Effects**: If the exploit changed the `admin_email` or a registration setting, check the corresponding database record.\n\n## 9. Alternative Approaches\n- **Option Overwrite**: If the AJAX handler is generic (e.g., `truebooker_update_option`), try to overwrite core WordPress options like `users_can_register` or `default_role`.\n- **Data Deletion**: If an action like `truebooker_delete_booking` is vulnerable, try to delete an existing booking by ID:\n  - Payload: `action=truebooker_delete_booking&id=1`\n- **Information Leak**: Check if any `nopriv` action returns sensitive data like customer lists or system paths.","The TrueBooker plugin for WordPress fails to implement authorization checks in its AJAX handlers registered via wp_ajax_nopriv_. This allows unauthenticated attackers to perform administrative actions such as modifying plugin settings or deleting data by sending crafted requests to the admin-ajax.php endpoint.","\u002F\u002F File: includes\u002Fclass-truebooker-ajax.php (inferred)\nadd_action('wp_ajax_nopriv_truebooker_save_settings', 'truebooker_save_settings');\nadd_action('wp_ajax_truebooker_save_settings', 'truebooker_save_settings');\n\nfunction truebooker_save_settings() {\n    \u002F\u002F Missing capability check like current_user_can('manage_options')\n    if (isset($_POST['settings'])) {\n        $settings = $_POST['settings'];\n        update_option('truebooker_settings', $settings);\n        wp_send_json_success();\n    }\n}\n\n---\n\n\u002F\u002F File: includes\u002Fclass-truebooker-ajax.php (inferred)\nadd_action('wp_ajax_nopriv_truebooker_delete_booking', 'truebooker_delete_booking');\n\nfunction truebooker_delete_booking() {\n    \u002F\u002F Missing capability check\n    $booking_id = intval($_POST['id']);\n    global $wpdb;\n    $wpdb->delete($wpdb->prefix . 'truebooker_bookings', array('id' => $booking_id));\n    wp_send_json_success();\n}","--- includes\u002Fclass-truebooker-ajax.php\n+++ includes\u002Fclass-truebooker-ajax.php\n@@ -1,10 +1,11 @@\n-add_action('wp_ajax_nopriv_truebooker_save_settings', 'truebooker_save_settings');\n add_action('wp_ajax_truebooker_save_settings', 'truebooker_save_settings');\n \n function truebooker_save_settings() {\n+    if (!current_user_can('manage_options')) {\n+        wp_die(__('You do not have sufficient permissions to access this page.'));\n+    }\n+    check_ajax_referer('truebooker_settings_nonce', 'nonce');\n     if (isset($_POST['settings'])) {\n         $settings = $_POST['settings'];\n         update_option('truebooker_settings', $settings);","The exploit involves targeting the unauthenticated AJAX handlers exposed by the plugin. 1. Identify a vulnerable action registered via wp_ajax_nopriv_ (e.g., truebooker_save_settings). 2. If a nonce is required, retrieve it by visiting a page where the plugin's booking form is active (e.g., [truebooker_booking_form]) and extracting the nonce from the localized script object (e.g., truebooker_obj.nonce). 3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the vulnerable hook, the 'nonce' parameter (if applicable), and the malicious payload (e.g., settings[allow_registration]=1) to modify plugin or site configuration without authentication.","gemini-3-flash-preview","2026-04-19 05:19:26","2026-04-19 05:19:44",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.1.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftruebooker-appointment-booking\u002Ftags\u002F1.1.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftruebooker-appointment-booking.1.1.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftruebooker-appointment-booking\u002Ftags"]