Executive Summary

[{'type': 'paragraph', 'content': "The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress has a vulnerability due to a missing capability check in the 'Extension_Controller::update_item_permissions_check' function in all versions up to 1.0.16."}, {'type': 'paragraph', 'content': "This missing permission check allows unauthenticated attackers to perform unauthorized modifications, specifically enabling them to install addon plugins via the plugin's REST API endpoints."}, {'type': 'paragraph', 'content': "The core issue is that the permission check methods in the extension controller returned 'true' unconditionally, allowing any user, including unauthenticated ones, to update or install extensions without restriction."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker without authentication to install addon plugins on your WordPress site running the Booktics plugin.

Installing unauthorized addons can lead to further compromise of your site, including potential introduction of malicious code, unauthorized access, or disruption of service.

The CVSS score of 5.3 (medium severity) reflects the potential for integrity impact (unauthorized modification of data) without direct impact on confidentiality or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Booktics plugin's REST API endpoints related to extensions allow unauthorized access to update or install addon plugins without proper capability checks."}, {'type': 'paragraph', 'content': 'Specifically, the endpoints at /booktics/v1/extensions (GET and POST/PUT) can be tested to see if unauthenticated or low-privilege users can perform actions such as installing or activating addons.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this vulnerability include using curl to attempt to update or install an addon without authentication:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-json/booktics/v1/extensions -d \'{"name":"addon_name","status":"install"}\' -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': 'curl -X PUT https://yourwordpresssite.com/wp-json/booktics/v1/extensions -d \'{"name":"addon_name","status":"activate"}\' -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'If these commands succeed without authentication or proper permissions, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable REST API endpoints by ensuring proper capability checks are in place.'}, {'type': 'paragraph', 'content': "Specifically, update the Booktics plugin to a version where the permission checks for 'get_items_permissions_check' and 'update_item_permissions_check' methods require the 'manage_options' capability, limiting access to administrators only."}, {'type': 'paragraph', 'content': "If an update is not immediately available, consider applying a patch that modifies these permission check functions to return current_user_can('manage_options')."}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to the REST API endpoints related to Booktics extensions, and consider disabling or removing the plugin if it is not essential.'}] [2]

Useful 0 Not Useful 0