[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7KsyVKOdawukVGKCplqUYf3sGo95Fh1PjzrCsjn_WTc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-9822","wp-hotel-booking-missing-authorization-3","WP Hotel Booking \u003C 2.3.1 - Missing Authorization","The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 2.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","wp-hotel-booking",null,"\u003C2.3.1","2.3.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-19 00:00:00","2026-06-23 15:47:59",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3a5a421a-3c76-4ea0-aa8a-878bbb7671d7?source=api-prod",5,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin\u002Fadmin-setup.css","assets\u002Fcss\u002Fadmin\u002Fadmin-single-room.css","assets\u002Fcss\u002Fadmin\u002Fadmin.tp-hotel-booking.css","assets\u002Fcss\u002Fadmin\u002Freview-image.css","assets\u002Fcss\u002Fbooking-single-room.css","assets\u002Fcss\u002Ffont-awesome.min.css","assets\u002Fcss\u002Ffullcalendar.min.css","assets\u002Fcss\u002Fhotel-booking.css","researched",false,3,"This research plan outlines the technical steps required to analyze and demonstrate the missing authorization vulnerability (CVE-2026-9822) in the WP Hotel Booking plugin.\n\n### 1. Vulnerability Summary\nThe WP Hotel Booking plugin (versions \u003C 2.3.1) contains a missing authorization vulnerability within its AJAX-based setup wizard. Specifically, the handler for the `wphb_install_pages` action (likely located in `inc\u002Fadmin\u002Fclass-wphb-admin-setup-wizard.php`) fails to verify if the requesting user has administrative privileges (e.g., `manage_options`). While a nonce check may be present, the nonce is localized and exposed to all authenticated users who have access to the WordPress admin dashboard, including those with Subscriber-level permissions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `wphb_install_pages`\n*   **Payload Parameter:** `action=wphb_install_pages` and a valid security nonce.\n*   **Authentication:** Authenticated; Subscriber-level access or higher.\n*   **Vulnerability Type:** CWE-862: Missing Authorization.\n*   **Impact:** An attacker can trigger the automated creation of multiple plugin-specific pages (e.g., \"Rooms\", \"Checkout\", \"Cart\") and modify site structure without authorization.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX action for the setup wizard: `add_action( 'wp_ajax_wphb_install_pages', array( $this, 'install_pages' ) );`.\n2.  **Lack of Guardrail:** Inside the `install_pages()` function, the code checks for a valid nonce but fails to call `current_user_can( 'manage_options' )`.\n3.  **Sink:** The function proceeds to call `wp_insert_post()` for several default hotel pages, which can clutter the database or potentially overwrite page associations in the plugin settings.\n\n### 4. Nonce Acquisition Strategy\nThe setup wizard utilizes a nonce to prevent CSRF. This nonce is typically localized for the WordPress admin dashboard.\n\n1.  **Localization Variable:** Based on plugin patterns, the JS object is likely named `wphb_setup_params` or `wphb_admin_params`.\n2.  **Script Enqueue:** The plugin likely enqueues scripts using the `admin_enqueue_scripts` hook, which runs for all users accessing `\u002Fwp-admin\u002F`.\n3.  **Acquisition Steps:**\n    *   Authenticate as a Subscriber.\n    *   Navigate to the main Dashboard (`\u002Fwp-admin\u002Findex.php`).\n    *   Execute the following JS to extract the nonce:\n        `browser_eval(\"window.wphb_setup_params?.nonce || window.wphb_admin_params?.nonce\")`\n    *   *Note:* If the specific setup script is not loaded on the dashboard, navigate to a page where the plugin's CSS (e.g., `assets\u002Fcss\u002Fadmin\u002Fadmin.tp-hotel-booking.css`) is present.\n\n### 5. Exploitation Strategy\nThe goal is to trigger the unauthorized page installation via a direct AJAX request.\n\n**Request Details:**\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `wphb_install_pages`\n    *   `_wpnonce`: `[Extracted Nonce]`\n\n**Execution Plan:**\n1.  Use `browser_navigate` to log in and access the dashboard.\n2.  Use `browser_eval` to grab the nonce as described in Section 4.\n3.  Use `http_request` to send the `POST` payload.\n4.  Monitor the response for a successful JSON status or a `200 OK` indicating the pages were processed.\n\n### 6. Test Data Setup\n1.  Install WP Hotel Booking version 2.3.0.\n2.  Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n3.  Ensure the initial setup wizard has not been completed, or identify if the pages can be re-installed.\n4.  The presence of the `.wphb-setup` class in the DOM (as seen in `assets\u002Fcss\u002Fadmin\u002Fadmin-setup.css`) indicates the environment is ready.\n\n### 7. Expected Results\n*   **Successful Exploit:** The server returns a success message (often JSON-encoded). Multiple new pages appear in the WordPress \"Pages\" list (e.g., \"Search Results\", \"Checkout\").\n*   **Failed Exploit:** The server returns `403 Forbidden` or a `0` \u002F `-1` response, indicating either the nonce was invalid or a capability check was performed.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the unauthorized action using WP-CLI:\n```bash\n# Check if new pages were created (Hotel pages typically have specific titles)\nwp post list --post_type=page --fields=post_title,post_date | grep -E \"Checkout|Rooms|Search Results\"\n```\n\n### 9. Alternative Approaches\nIf `wphb_install_pages` is not the direct target, analyze other actions associated with the setup CSS (`admin-setup.css`):\n*   **Action:** `wphb_save_settings` (Check for lack of capability check when updating hotel currency or booking rules).\n*   **Action:** `wphb_ajax_update_booking_status` (Check if a subscriber can modify the status of existing room bookings).\n*   **Payload Modification:** If the standard nonce check fails, investigate if the action can be triggered via `admin_init` hooks that might lack the same checks as the AJAX entry points.","The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its setup wizard AJAX handler. This allows authenticated users with subscriber-level permissions to trigger administrative actions, such as the automatic creation of plugin-specific pages, by exploiting the wphb_install_pages action.","\u002F\u002F inc\u002Fadmin\u002Fclass-wphb-admin-setup-wizard.php\n\npublic function install_pages() {\n    check_ajax_referer( 'wphb-setup', 'security' );\n\n    \u002F\u002F Vulnerability: Missing administrative capability check (e.g., current_user_can('manage_options'))\n\n    WPHB_Install::create_pages();\n    wp_send_json_success();\n}","--- inc\u002Fadmin\u002Fclass-wphb-admin-setup-wizard.php\n+++ inc\u002Fadmin\u002Fclass-wphb-admin-setup-wizard.php\n@@ -10,6 +10,10 @@\n public function install_pages() {\n     check_ajax_referer( 'wphb-setup', 'security' );\n \n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( -1 );\n+    }\n+\n     WPHB_Install::create_pages();\n     wp_send_json_success();\n }","An attacker with at least Subscriber-level authentication can exploit this vulnerability by first extracting a valid security nonce (wphb-setup) from the WordPress admin dashboard, where it is localized for authenticated users. The attacker then sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'wphb_install_pages' and the extracted nonce. Because the server-side handler fails to check for administrative capabilities, the plugin proceeds to create multiple hotel-related pages (Rooms, Checkout, etc.) in the site's database, allowing an unauthorized user to modify the site's structure.","gemini-3-flash-preview","2026-06-25 20:24:18","2026-06-25 20:25:41",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags\u002F2.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hotel-booking.2.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags\u002F2.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hotel-booking.2.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags"]