WordPress Plugin Vulnerabilities
WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR
Description
The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.
Proof of Concept
1. Book (or cancel booking) an event using an authenticated user. 2. Intercept the request using an HTTP Proxy (e.g., BurpSuite). 3. Change the `idUser` parameter in the request, and forward it. Note: Since the `idUser` value is an incremental numerical value, it is easily brute forced.
Affects Plugins
References
CVE
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ameen Alkurdy
Submitter
Ameen Alkurdy
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-03 (about 1 years ago)
Added
2023-04-03 (about 1 years ago)
Last Updated
2023-04-03 (about 1 years ago)