------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Booking Calendar WordPress Plugin ------------------------------------------------------------------------ Edwin Molenaar [2], July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability was found in the Booking Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160714-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ These issues were successfully tested on Booking Calendar [3] WordPress Plugin version 6.2. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in Booking Calendar version 6.2.1 [4]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The Booking Calendar [3] WordPress Plugin is a booking system for online reservation and availability checking service for your site. A Reflected Cross-Site Scripting vulnerability exists in the Booking Calendar WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The vulnerability exists in the wpdev_bk_settings_form_labels() function from booking/lib/wpdev-settings-general.php (line 1492). All input field on the Booking > Settings > Fields page are vulnerable to Cross-Site Scripting, eg http:///wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=form. Also all the form from the Booking > Settings > Import tab are vulnerable to Cross-Site Scripting, however a valid anti-CSRF token in this tab is required, eg http:///wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=sync. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_booking_calendar_wordpress_plugin.html [2] https://www.linkedin.com/in/edwinmolenaar [3] https://wordpress.org/plugins/booking/ [4] https://downloads.wordpress.org/plugin/booking.zip