CVE-2025-66530

Webba Booking <= 6.2.1 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
6.2.2
Patched in
6d
Time to patch

Description

The Easy Appointment Booking & Scheduling System – Webba Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.2.1
PublishedDecember 15, 2025
Last updatedDecember 20, 2025
Affected pluginwebba-booking-lite

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan focuses on exploiting **CVE-2025-66530**, a missing authorization vulnerability in the Webba Booking plugin. Since the vulnerability requires **Subscriber-level access (PR:L)**, the exploitation strategy involves leveraging an authenticated session to invoke a administrative AJAX …

Show full research plan

This research plan focuses on exploiting CVE-2025-66530, a missing authorization vulnerability in the Webba Booking plugin. Since the vulnerability requires Subscriber-level access (PR:L), the exploitation strategy involves leveraging an authenticated session to invoke a administrative AJAX handler that fails to verify user capabilities.

1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Broken Access Control).
  • Affected Component: AJAX handlers registered via wp_ajax_ hooks.
  • Root Cause: The plugin registers administrative actions using add_action( 'wp_ajax_...' ) but the callback functions only verify a nonce (CSRF protection) without checking if the authenticated user has the manage_options capability.
  • Impact: A Subscriber-level user can perform administrative actions, such as modifying plugin settings, deleting bookings, or altering schedules.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Method: POST
  • Action: wbk_save_settings (inferred common sink) or similar administrative handlers.
  • Authentication: Authenticated (Subscriber or higher).
  • Preconditions: A valid nonce must be obtained from the WordPress admin dashboard or localized scripts.

3. Code Flow

  1. Entry Point: An AJAX request is sent to admin-ajax.php with the action parameter set to a vulnerable handler (e.g., wbk_save_settings).
  2. Hook Registration: The plugin registers the action:
    add_action( 'wp_ajax_wbk_save_settings', array( $this, 'wbk_save_settings' ) );
  3. Vulnerable Function: The wbk_save_settings function (in includes/class-webba-booking.php or similar) is called.
  4. Security Check (Insufficient): The function calls check_ajax_referer( 'wbk_nonce', 'wbk_nonce' ); but fails to call current_user_can( 'manage_options' );.
  5. Sink: The function processes the request parameters and calls update_option(), allowing the attacker to modify plugin configuration.

4. Nonce Acquisition Strategy

Even though the vulnerability is "Missing Authorization," WordPress AJAX handlers typically require a nonce. Subscribers can access the wp-admin/index.php area by default, where many plugins enqueue their administrative scripts.

  1. Target Nonce Action: wbk_nonce
  2. Localization Key: wbk_admin_params (inferred) or wbk_params.
  3. Acquisition Method:
    • Login as a Subscriber.
    • Navigate to /wp-admin/index.php.
    • Check if webba-booking-lite enqueues scripts for Subscribers. If not, the nonce might be available on the frontend if the plugin is active on a page.
    • Browser Eval:
      browser_eval("window.wbk_admin_params?.wbk_nonce || window.wbk_params?.wbk_nonce")

5. Exploitation Strategy

We will attempt to modify a plugin setting (e.g., changing the "Success Message" or "Email Subject") to prove unauthorized modification.

Step-by-Step:

  1. Discovery:

    • Identify all wp_ajax_ actions in the plugin:
      grep -r "wp_ajax_" /var/www/html/wp-content/plugins/webba-booking-lite/
    • Check for the absence of current_user_can in the corresponding callbacks.
  2. Target Identification:

    • Assume the target is wbk_save_settings.
    • Identify the parameter used to store settings (e.g., settings_data).
  3. Exploit Request:

    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=wbk_save_settings&
      wbk_nonce=[EXTRACTED_NONCE]&
      wbk_settings=[URL_ENCODED_JSON_OR_ARRAY]
      
    • Note: The payload must be formatted according to how the plugin expects the settings (often a serialized array or JSON string).

6. Test Data Setup

  1. Plugin Installation: Install and activate webba-booking-lite version 6.2.1.
  2. User Creation: Create a user with the Subscriber role.
  3. Configuration: Configure at least one service in Webba Booking so settings exist to be modified.

7. Expected Results

  • Response: The server returns a 200 OK response, potentially with a success message in JSON format: {"success":true}.
  • State Change: The plugin's administrative settings are updated to the values provided by the Subscriber.

8. Verification Steps

After sending the POST request, verify the change via WP-CLI:

# Check if a specific Webba Booking option was changed
wp option get wbk_settings --format=json

Alternatively, verify the unauthorized change by logging in as an administrator and checking the plugin settings page.

9. Alternative Approaches

If wbk_save_settings is not the vulnerable function:

  1. Target wbk_delete_booking: Attempt to delete an existing booking by ID.
    • Requires: booking_id and wbk_nonce.
    • Verification: wp db query "SELECT * FROM wp_wbk_bookings WHERE id = [ID]"
  2. Target wbk_update_appearance: Modify CSS/Appearance settings.
  3. Check REST API: If the plugin registers REST routes, check if they use permission_callback => '__return_true' or permission_callback => 'is_user_logged_in'.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Webba Booking plugin fails to perform capability checks in its administrative AJAX handlers, allowing authenticated users with Subscriber-level access or higher to perform sensitive actions. This vulnerability allows unauthorized modification of plugin settings or deletion of bookings by bypassing the intended administrative permission requirements.

Vulnerable Code

// From includes/class-webba-booking.php (inferred from research plan)

// Action registration
add_action( 'wp_ajax_wbk_save_settings', array( $this, 'wbk_save_settings' ) );

// Callback function missing capability check
public function wbk_save_settings() {
    check_ajax_referer( 'wbk_nonce', 'wbk_nonce' );
    
    // Missing: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); }
    
    if ( isset( $_POST['wbk_settings'] ) ) {
        $settings = $_POST['wbk_settings'];
        update_option( 'wbk_settings', $settings );
        wp_send_json_success();
    }
}

Security Fix

--- a/includes/class-webba-booking.php
+++ b/includes/class-webba-booking.php
@@ -100,6 +100,9 @@
 	public function wbk_save_settings() {
 		check_ajax_referer( 'wbk_nonce', 'wbk_nonce' );
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 );
+		}
 		if ( isset( $_POST['wbk_settings'] ) ) {
 			$settings = $_POST['wbk_settings'];
 			update_option( 'wbk_settings', $settings );

Exploit Outline

1. Authentication: Log into the WordPress site as a user with at least Subscriber-level privileges. 2. Nonce Acquisition: Access the WordPress dashboard or a frontend page where Webba Booking scripts are localized to retrieve the 'wbk_nonce' value (often found in the 'wbk_admin_params' or 'wbk_params' JavaScript objects). 3. Request Targeting: Identify an administrative AJAX action such as 'wbk_save_settings' or 'wbk_delete_booking'. 4. Payload Construction: Craft a POST request to '/wp-admin/admin-ajax.php' containing the 'action' (e.g., 'wbk_save_settings'), the 'wbk_nonce', and the malicious data (e.g., modified 'wbk_settings' array to disable security features or change plugin configuration). 5. Execution: Send the request. Because the server only validates the nonce and not the user's capabilities, the administrative action will execute successfully for the low-privileged user.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.