WordPress Plugin Vulnerabilities

Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure

Description

The plugin requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.

Proof of Concept

When a guest make a booking via sending "action: package_app_public_action" and "mode: sendbooking" request (screenshot: https://i.imgur.com/ql7bqnl.png), there is a field "icalToken" in the response, screenshot: https://i.imgur.com/6hlNcgU.png

If the plugin has ical integration enabled, a threat actor can abuse this feature to download all the booking data, including email and name of all customers.

For example, this file is from demo site and has all the booking information: https://booking-package.saasproject.net/demo-booking/?id=1&ical=445976b9e3f3276019b4763fb138ad9895e0a641

screenshot: https://i.imgur.com/7mum5Jc.png

Affects Plugins

Plugin icon
booking-package
Fixed in 1.5.29

References

CVE
CVE-2022-0709

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
huli of Cymetrics
Submitter
huli of Cymetrics
Submitter website
https://cymetrics.io/
Verified
Yes
WPVDB ID
3cd1d8d2-d2a4-45a9-9b5f-c2a56f08be85

Timeline

Publicly Published
2022-03-09 (about 2 years ago)
Added
2022-03-09 (about 2 years ago)
Last Updated
2022-04-17 (about 2 years ago)

Other

Published
Title
Published
2021-08-18
Title
BuddyPress < 9.1.1 - Activation Key Disclosure
Published
2023-11-21
Title
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Published
2023-11-21
Title
UserPro < 5.1.2 - Sensitive Information Disclosure via Shortcode
Published
2022-06-02
Title
Co-Authors-Plus 3.5/3.5.1 - Guest Authors Email Address Disclosure
Published
2024-04-11
Title
Citadela Listing <= 5.18.1 - Unauthenticated Sensitive Information Exposure