WordPress Plugin Vulnerabilities

WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

Description

The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.

Proof of Concept

1. Book (or cancel booking) an event using an authenticated user.
2. Intercept the request using an HTTP Proxy (e.g., BurpSuite).
3. Change the `idUser` parameter in the request, and forward it.

Note: Since the `idUser` value is an incremental numerical value, it is easily brute forced.

Affects Plugins

No known fix

References

Classification

Type
IDOR
CWE

Miscellaneous

Original Researcher
Ameen Alkurdy
Submitter
Ameen Alkurdy
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2023-04-03 (about 1 years ago)
Added
2023-04-03 (about 1 years ago)
Last Updated
2023-04-03 (about 1 years ago)

Other