_ _ / | _| |_ _ _____ ___ ___ ___ ___ ___ _ / / | . | | | | . | _| . | _| -_| |_|_/ |___|___|_|_|_| _|___|___|_| |___| |_| 2019-05-07 CSRF & Authed SQLi in 'wp-booking-system' WordPress plugin ========================================================== CVE-2019-12239 Two authenticated SQL injection vulnerabilities were found in wp-booking-system v1.5.1.[1]. At the time of writing this, wordpress.org reports 9000+ active installations. Prepared statements are used correctly in a lot of places, however unfortunately two queries were missed. Due to the required authentication in order to reach the vulnerable code, the complexity of exploitation is the same as the complexity involved in gaining access to an administrative user session. Luckily for the attacker, no CSRF protective mechanisms (WordPress nonce[2]) were found. It is therefore possible for an attacker to craft a malicious webpage that once visited by an authenticated administrative user, will trigger the SQL injection vulnerability. # Bug1 details wp-booking-system.php: 103 add_action('wp_ajax_bookingModalData' , 'bookingModalData_callback'); include/bookingAjax.php: 2 function bookingModalData_callback() { 3 global $wpdb; 4 $sql = 'SELECT * FROM ' . $wpdb->prefix . 'bs_calendars WHERE calendarID = ' . $_POST['calendarID']; 5 $calendar = $wpdb->get_row( $sql, ARRAY_A ); # Bug2 details include/pluginStructure.php: 6 function wpbs_calendars(){ 7 $do = (!empty($_GET['do'])) ? $_GET['do'] : 'calendars'; 8 switch($do){ .. 49 case 'booking-delete': 50 include WPBS_DIR_PATH . '/controllers/bookings/ booking-delete.php'; .. 54 } 55 } controllers/bookings/booking-delete.php: 4 $sql = 'SELECT * FROM ' . $wpdb->prefix . 'bs_bookings WHERE bookingID = '. $_GET['bookingID'] .''; 5 $booking = $wpdb->get_row( $sql, ARRAY_A ); # Proof of discovery https://twitter.com/magnusstubman/status/1125370125409038338 $ cat a | base64 -b 75 JHNxbCA9ICdTRUxFQ1QgKiBGUk9NICcgLiAkd3BkYi0+cHJlZml4IC4gJ2JzX2Jvb2tpbmdzIFd IRVJFIGJvb2tpbmdJRCA9ICcuICRfR0VUWydib29raW5nSUQnXSAuJyc7Cg== $ sha256sum a 27d3119bfb55a985aa8b8f521fd61089f9f0c6cc5d8ea018f475369c61bac95a a # Timeline 2019-05-07 Public disclosure 2019-05-07 CVE-ID requested 2019-05-07 Vendor released update 2019-05-20 CVE-2019-12239 assigned # References 1: https://wordpress.org/plugins/wp-booking-system/ 2: https://codex.wordpress.org/WordPress_Nonces