WP FEvents Book <= 0.46 – Subscriber+ Arbitrary Booking Manipulation via IDOR | CVE 2023-1129 | Plugin Vulnerabilities

Description

The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.

Proof of Concept

1. Book (or cancel booking) an event using an authenticated user.
2. Intercept the request using an HTTP Proxy (e.g., BurpSuite).
3. Change the `idUser` parameter in the request, and forward it.

Note: Since the `idUser` value is an incremental numerical value, it is easily brute forced.

Affects Plugins

wp-fevents-book

No known fix

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Ameen Alkurdy

Submitter

Ameen Alkurdy

Submitter website

https://ameenalkurdy.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

d40479de-fb04-41b8-9fb0-41b9eefbd8af

Timeline

Publicly Published

2023-04-03 (about 1 years ago)

Added

2023-04-03 (about 1 years ago)

Last Updated

2023-04-03 (about 1 years ago)

Other

Published

Title

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2023-09-12

Title

Simplr Registration Form Plus+ <= 2.4.5 - Subscriber+ Arbitrary User Password Change via IDOR

Published

2024-01-16

Title

Display custom fields in the frontend – Post and User Profile Fields < 1.3.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Meta Disclosure

Published

2024-04-01

Title

Tickera < 3.5.2.5 - Ticket leakage through IDOR

Published

2023-06-12

Title

Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API