WordPress Plugin Vulnerabilities
Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure
Description
The plugin requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
Proof of Concept
When a guest make a booking via sending "action: package_app_public_action" and "mode: sendbooking" request (screenshot: https://i.imgur.com/ql7bqnl.png), there is a field "icalToken" in the response, screenshot: https://i.imgur.com/6hlNcgU.png If the plugin has ical integration enabled, a threat actor can abuse this feature to download all the booking data, including email and name of all customers. For example, this file is from demo site and has all the booking information: https://booking-package.saasproject.net/demo-booking/?id=1&ical=445976b9e3f3276019b4763fb138ad9895e0a641 screenshot: https://i.imgur.com/7mum5Jc.png
Affects Plugins
References
CVE
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
huli of Cymetrics
Submitter
huli of Cymetrics
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-09 (about 2 years ago)
Added
2022-03-09 (about 2 years ago)
Last Updated
2022-04-17 (about 2 years ago)