[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fK-LvZiGtK8Vwwvi8ooo-Uf5AYv5whccWIGDsvKS8kHQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":31},"CVE-2025-68515","wp-booking-system-booking-calendar-unauthenticated-information-exposure","WP Booking System – Booking Calendar \u003C= 2.0.19.12 - Unauthenticated Information Exposure","The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.19.12. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","wp-booking-system",null,"\u003C=2.0.19.12","2.0.19.13","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-04 00:00:00","2026-03-12 18:24:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F070d7310-ae5f-4486-9b93-36253e24f895?source=api-prod",9,[22,23],"readme.txt","wp-booking-system.php","researched",false,3,"# Vulnerability Research Plan: CVE-2025-68515 (WP Booking System Information Exposure)\n\n## 1. Vulnerability Summary\nThe **WP Booking System – Booking Calendar** plugin (up to version 2.0.19.12) contains an unauthenticated information exposure vulnerability. The plugin's front-end AJAX handlers, specifically those responsible for fetching calendar data and availability, fail to properly filter sensitive booking metadata. This allows an unauthenticated attacker to extract personally identifiable information (PII) such as customer names, emails, and phone numbers associated with bookings, as well as internal plugin configuration settings that should be restricted to administrators.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wpbs_get_calendar_month` (Inferred from standard plugin front-end logic)\n*   **Authentication:** None required (Targeting `wp_ajax_nopriv_` hooks)\n*   **Vulnerable Parameter:** `calendar_id`\n*   **Preconditions:** At least one calendar must exist, and it should have at least one booking containing sensitive data for the exposure to be demonstrable.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a `POST` request to `admin-ajax.php` with the action `wpbs_get_calendar_month`.\n2.  **Hook Registration:** The plugin registers the handler via `add_action('wp_ajax_nopriv_wpbs_get_calendar_month', ...)`.\n3.  **Data Retrieval:** The handler function (likely in `includes\u002Fclass-ajax-functions-front-end.php`) accepts a `calendar_id`, `month`, and `year`.\n4.  **Database Query:** The plugin queries the `wp_wpbs_bookings` and `wp_wpbs_calendars` tables to retrieve events for the requested period.\n5.  **Sink:** The retrieved database objects are passed directly into a JSON response via `wp_send_json()`. Because the code fails to whitelist only \"public\" fields (like start\u002Fend dates and status), internal fields like `email`, `phone`, `first_name`, `last_name`, and `description` are included in the response.\n\n## 4. Nonce Acquisition Strategy\nThe plugin enqueues front-end scripts in `WP_Booking_System::enqueue_front_end_scripts`. It uses `wp_localize_script` to pass a nonce to the browser.\n\n*   **Shortcode:** `[wpbs id=\"1\"]`\n*   **Localization Object:** `wpbs_vars` (Inferred)\n*   **Nonce Key:** `wpbs_nonce` (Inferred)\n\n**Strategy:**\n1.  Use WP-CLI to create a page containing the calendar shortcode.\n2.  Navigate to the page using `browser_navigate`.\n3.  Execute JavaScript to extract the nonce.\n\n```javascript\n\u002F\u002F Browser Eval Command\nwindow.wpbs_vars?.wpbs_nonce\n```\n\n## 5. Exploitation Strategy\nThe goal is to retrieve a JSON blob containing sensitive booking details for a specific calendar.\n\n1.  **Determine Calendar ID:** Usually `1` for the first calendar.\n2.  **Obtain Nonce:** Extract `wpbs_nonce` from a public page using the browser tools.\n3.  **Craft AJAX Request:**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```text\n        action=wpbs_get_calendar_month&calendar_id=1&month=8&year=2025&wpbs_nonce=[EXTRACTED_NONCE]\n        ```\n4.  **Analyze Response:** Search the JSON for keys like `email`, `phone`, `first_name`, or `description` within the `days` or `bookings` arrays.\n\n## 6. Test Data Setup\nPrepare the environment using WP-CLI to ensure there is data to \"steal\":\n\n1.  **Create a Calendar:**\n    ```bash\n    # (The plugin usually creates a default calendar, but we ensure one exists)\n    wp eval \"wpbs_get_db_layer('calendars')->insert(array('name' => 'Secret Calendar', 'date_created' => current_time('mysql')));\"\n    ```\n2.  **Create a Legend Item (Booked Status):**\n    ```bash\n    wp eval \"wpbs_get_db_layer('legend_items')->insert(array('calendar_id' => 1, 'name' => 'Booked', 'type' => 'is_booked'));\"\n    ```\n3.  **Insert a Sensitive Booking:**\n    ```bash\n    wp eval \"wpbs_get_db_layer('bookings')->insert(array('calendar_id' => 1, 'first_name' => 'John', 'last_name' => 'Doe', 'email' => 'john_private@example.com', 'phone' => '555-999-0000', 'description' => 'Secret internal note', 'start_date' => '2025-08-10', 'end_date' => '2025-08-15', 'status' => 'accepted'));\"\n    ```\n4.  **Publish a Page with the Calendar:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Booking Page\" --post_status=publish --post_content='[wpbs id=\"1\"]'\n    ```\n\n## 7. Expected Results\nA successful exploit will return a JSON response containing the sensitive fields:\n```json\n{\n  \"success\": true,\n  \"days\": {\n    \"10\": {\n      \"booking_id\": \"1\",\n      \"first_name\": \"John\",\n      \"last_name\": \"Doe\",\n      \"email\": \"john_private@example.com\",\n      \"phone\": \"555-999-0000\",\n      \"description\": \"Secret internal note\",\n      \"status\": \"accepted\"\n    }\n  }\n}\n```\nThe presence of `email` and `phone` in an unauthenticated response confirms the Information Exposure.\n\n## 8. Verification Steps\n1.  **Check Database:** Confirm the PII exists in the database.\n    ```bash\n    wp db query \"SELECT email, phone FROM wp_wpbs_bookings WHERE calendar_id = 1\"\n    ```\n2.  **Compare with AJAX:** Verify the strings found in the database match those returned by the `http_request` tool in the previous step.\n\n## 9. Alternative Approaches\nIf `wpbs_get_calendar_month` is secured in the target sub-version:\n*   **Check iCal Export:** Attempt to access `?wpbs_export=ical&calendar_id=1`. If the plugin uses a predictable token (e.g., an MD5 of the calendar ID) or lacks a token check, it may leak booking dates and descriptions.\n*   **Check Form Submissions:** If the plugin uses the `wpbs_submit_form` action, look for corresponding \"get\" actions like `wpbs_get_form_details` that might be mistakenly registered as `nopriv`.\n*   **Global JS Objects:** Inspect `window.wpbs_vars` via `browser_eval` to see if the entire plugin configuration\u002Fsettings array is localized into the page source.","gemini-3-flash-preview","2026-04-18 06:28:11","2026-04-18 06:28:46",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","2.0.19.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-booking-system\u002Ftags\u002F2.0.19.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-booking-system.2.0.19.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-booking-system\u002Ftags\u002F2.0.19.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-booking-system.2.0.19.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-booking-system\u002Ftags"]