Webba Booking <= 6.2.1 - Missing Authorization
Description
The Easy Appointment Booking & Scheduling System – Webba Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.2.1Source Code
WordPress.org SVNThis research plan focuses on exploiting **CVE-2025-66530**, a missing authorization vulnerability in the Webba Booking plugin. Since the vulnerability requires **Subscriber-level access (PR:L)**, the exploitation strategy involves leveraging an authenticated session to invoke a administrative AJAX …
Show full research plan
This research plan focuses on exploiting CVE-2025-66530, a missing authorization vulnerability in the Webba Booking plugin. Since the vulnerability requires Subscriber-level access (PR:L), the exploitation strategy involves leveraging an authenticated session to invoke a administrative AJAX handler that fails to verify user capabilities.
1. Vulnerability Summary
- Vulnerability: Missing Authorization (Broken Access Control).
- Affected Component: AJAX handlers registered via
wp_ajax_hooks. - Root Cause: The plugin registers administrative actions using
add_action( 'wp_ajax_...' )but the callback functions only verify a nonce (CSRF protection) without checking if the authenticated user has themanage_optionscapability. - Impact: A Subscriber-level user can perform administrative actions, such as modifying plugin settings, deleting bookings, or altering schedules.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Action:
wbk_save_settings(inferred common sink) or similar administrative handlers. - Authentication: Authenticated (Subscriber or higher).
- Preconditions: A valid nonce must be obtained from the WordPress admin dashboard or localized scripts.
3. Code Flow
- Entry Point: An AJAX request is sent to
admin-ajax.phpwith theactionparameter set to a vulnerable handler (e.g.,wbk_save_settings). - Hook Registration: The plugin registers the action:
add_action( 'wp_ajax_wbk_save_settings', array( $this, 'wbk_save_settings' ) ); - Vulnerable Function: The
wbk_save_settingsfunction (inincludes/class-webba-booking.phpor similar) is called. - Security Check (Insufficient): The function calls
check_ajax_referer( 'wbk_nonce', 'wbk_nonce' );but fails to callcurrent_user_can( 'manage_options' );. - Sink: The function processes the request parameters and calls
update_option(), allowing the attacker to modify plugin configuration.
4. Nonce Acquisition Strategy
Even though the vulnerability is "Missing Authorization," WordPress AJAX handlers typically require a nonce. Subscribers can access the wp-admin/index.php area by default, where many plugins enqueue their administrative scripts.
- Target Nonce Action:
wbk_nonce - Localization Key:
wbk_admin_params(inferred) orwbk_params. - Acquisition Method:
- Login as a Subscriber.
- Navigate to
/wp-admin/index.php. - Check if
webba-booking-liteenqueues scripts for Subscribers. If not, the nonce might be available on the frontend if the plugin is active on a page. - Browser Eval:
browser_eval("window.wbk_admin_params?.wbk_nonce || window.wbk_params?.wbk_nonce")
5. Exploitation Strategy
We will attempt to modify a plugin setting (e.g., changing the "Success Message" or "Email Subject") to prove unauthorized modification.
Step-by-Step:
Discovery:
- Identify all
wp_ajax_actions in the plugin:grep -r "wp_ajax_" /var/www/html/wp-content/plugins/webba-booking-lite/ - Check for the absence of
current_user_canin the corresponding callbacks.
- Identify all
Target Identification:
- Assume the target is
wbk_save_settings. - Identify the parameter used to store settings (e.g.,
settings_data).
- Assume the target is
Exploit Request:
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=wbk_save_settings& wbk_nonce=[EXTRACTED_NONCE]& wbk_settings=[URL_ENCODED_JSON_OR_ARRAY] - Note: The payload must be formatted according to how the plugin expects the settings (often a serialized array or JSON string).
- URL:
6. Test Data Setup
- Plugin Installation: Install and activate
webba-booking-liteversion 6.2.1. - User Creation: Create a user with the
Subscriberrole. - Configuration: Configure at least one service in Webba Booking so settings exist to be modified.
7. Expected Results
- Response: The server returns a
200 OKresponse, potentially with a success message in JSON format:{"success":true}. - State Change: The plugin's administrative settings are updated to the values provided by the Subscriber.
8. Verification Steps
After sending the POST request, verify the change via WP-CLI:
# Check if a specific Webba Booking option was changed
wp option get wbk_settings --format=json
Alternatively, verify the unauthorized change by logging in as an administrator and checking the plugin settings page.
9. Alternative Approaches
If wbk_save_settings is not the vulnerable function:
- Target
wbk_delete_booking: Attempt to delete an existing booking by ID.- Requires:
booking_idandwbk_nonce. - Verification:
wp db query "SELECT * FROM wp_wbk_bookings WHERE id = [ID]"
- Requires:
- Target
wbk_update_appearance: Modify CSS/Appearance settings. - Check REST API: If the plugin registers REST routes, check if they use
permission_callback => '__return_true'orpermission_callback => 'is_user_logged_in'.
Summary
The Webba Booking plugin fails to perform capability checks in its administrative AJAX handlers, allowing authenticated users with Subscriber-level access or higher to perform sensitive actions. This vulnerability allows unauthorized modification of plugin settings or deletion of bookings by bypassing the intended administrative permission requirements.
Vulnerable Code
// From includes/class-webba-booking.php (inferred from research plan) // Action registration add_action( 'wp_ajax_wbk_save_settings', array( $this, 'wbk_save_settings' ) ); // Callback function missing capability check public function wbk_save_settings() { check_ajax_referer( 'wbk_nonce', 'wbk_nonce' ); // Missing: if ( ! current_user_can( 'manage_options' ) ) { wp_die(); } if ( isset( $_POST['wbk_settings'] ) ) { $settings = $_POST['wbk_settings']; update_option( 'wbk_settings', $settings ); wp_send_json_success(); } }
Security Fix
@@ -100,6 +100,9 @@ public function wbk_save_settings() { check_ajax_referer( 'wbk_nonce', 'wbk_nonce' ); + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error( array( 'message' => 'Unauthorized' ), 403 ); + } if ( isset( $_POST['wbk_settings'] ) ) { $settings = $_POST['wbk_settings']; update_option( 'wbk_settings', $settings );
Exploit Outline
1. Authentication: Log into the WordPress site as a user with at least Subscriber-level privileges. 2. Nonce Acquisition: Access the WordPress dashboard or a frontend page where Webba Booking scripts are localized to retrieve the 'wbk_nonce' value (often found in the 'wbk_admin_params' or 'wbk_params' JavaScript objects). 3. Request Targeting: Identify an administrative AJAX action such as 'wbk_save_settings' or 'wbk_delete_booking'. 4. Payload Construction: Craft a POST request to '/wp-admin/admin-ajax.php' containing the 'action' (e.g., 'wbk_save_settings'), the 'wbk_nonce', and the malicious data (e.g., modified 'wbk_settings' array to disable security features or change plugin configuration). 5. Execution: Send the request. Because the server only validates the nonce and not the user's capabilities, the administrative action will execute successfully for the low-privileged user.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.