Executive Summary

The vulnerability in the Booking Calendar plugin for WordPress allows unauthenticated attackers to extract sensitive booking information such as customer names, email addresses, phone numbers, and booking details. This happens because the nonce verification, which is supposed to protect AJAX actions, is conditionally disabled by default due to the 'booking_is_nonce_at_front_end' option being set to 'Off'. When the 'booking_is_show_popover_in_timeline_front_end' option is enabled (default in demo installations and can be enabled by administrators), attackers can exploit the 'WPBC_FLEXTIMELINE_NAV' AJAX action to access this sensitive data without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to sensitive information exposure, allowing attackers to access personal data of customers such as names, email addresses, phone numbers, and booking details without any authentication. This can result in privacy breaches, potential identity theft, phishing attacks, and loss of customer trust. Since the vulnerability is exploitable remotely via AJAX requests, it poses a significant risk to the confidentiality of booking data managed by the plugin.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring AJAX requests to the `WPBC_FLEXTIMELINE_NAV` action in the Booking Calendar plugin. Since the vulnerability involves unauthenticated AJAX requests extracting sensitive booking data due to disabled nonce verification, you can look for suspicious HTTP POST requests to the WordPress admin-ajax.php endpoint with the parameter `action=WPBC_FLEXTIMELINE_NAV`. Commands to detect such activity could include using network monitoring tools or command-line utilities like curl or wget to simulate or detect these requests. For example, you can use a command like: `curl -X POST -d 'action=WPBC_FLEXTIMELINE_NAV' https://yourwordpresssite.com/wp-admin/admin-ajax.php` and observe if sensitive booking data is returned without authentication. Additionally, monitoring web server logs for unauthenticated POST requests to admin-ajax.php with this action parameter can help detect exploitation attempts. However, no specific detection commands are provided in the resources. [6]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enabling nonce verification on the front-end by setting the `booking_is_nonce_at_front_end` option to 'On' to ensure that AJAX requests like `WPBC_FLEXTIMELINE_NAV` require valid nonces, preventing unauthenticated access. Administrators should also review and disable the `booking_is_show_popover_in_timeline_front_end` option if it is enabled, as this option allows unauthenticated attackers to extract sensitive booking data. Updating the Booking Calendar plugin to a version later than 10.14.10 where nonce verification is properly enforced is recommended. Additionally, monitoring and restricting access to AJAX endpoints and applying web application firewall (WAF) rules to block suspicious requests targeting this AJAX action can help mitigate exploitation. [3, 6]

Useful 0 Not Useful 0