WordPress Booking Calendar Plugin – PHP Object Injection Vulnerability [NEWS]

Updated on

WordPress plugin booking calendar vulnerability

WordPress booking calendar plugin has more than 60,000 active installs. Thus, the threat Intelligence team launched a responsible disclosure process on April 18, 2022.

When we received a response, we turned along with our entire disclosure on April 19, 2022. On April 21, 2022, a patched version of the plugin, called 9.1.1, was made available.

On April 18, 2022, Security experts released a firewall rule to protect clients. On May 18, 2022, all sites will receive the same level of security. As soon as the fixed version, 9.1.1, is released, we strongly advise all users to do the same.

 PHP Object Injection Vulnerability in Booking Calendar Plugin

Description: Insecure Deserialization/PHP Object Injection
Affected Plugin: Booking Calendar
Plugin Slug: booking
Plugin Developer: wpdevelop, oplugins
Affected Versions: <= 9.1
CVE ID: CVE-2022-1463
CVSS Score: 8.1(High)
Researcher/s: Ramuel Gall
Fully Patched Version: 9.1.1

Booking calendar plugin is an online booking system with a configurable timeline showing existing bookings and vacancies can be easily added to a website using the Booking Calendar plug-in [bookingflextimeline].

The flexible timeline offers the opportunity to customize viewing choices and options while viewing the published timeline. Some of these options were passed in PHP’s serialized data format and unserialized by the define_request_view_params_from_params function core/timeline/v2/wpbc-class-timeline_v2.php.

There are various ways an attacker might take control of serialized data:

  1. An unauthenticated attacker would be able to get the nonce needed to perform an AJAX request with the action configured to send an AJAX request if the timeline was published WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
  2. Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding options attribute in the shortcode set to a serialized PHP object. Even if the site doesn’t have a published timetable, this would still function.
  3. An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing malicious options attribute into a post and execute it by previewing it or WPBC_ FLEXTIMELINE_ NAV first by utilising method #1 and previewing the [bookingflextimeline] shortcode.

When an attacker has access to unserialized data by PHP, they can use that control to inject a PHP object with their design properties. Attackers with access to a “POP Chain” can run arbitrary code, remove data, or otherwise harm or take over an unprotected website. As fate would have it, the Booking plugin does not contain a POP chain, making it difficult for an attacker to exploit this flaw. As long as another plugin utilizes one of the common POP libraries, many sites might still be hacked by a POP chain attack.

This vulnerability’s impact is so severe that even if there is no POP chain and exploiting it is difficult, the CVSS rating remains “High.” This vulnerability has already been discussed on our site in greater detail if you’re interested.

Unauthenticated SQL injection in WordPress Plugin Appointment Booking Calendar 1.1.23

In the past, WordPress Plugin Appointment Booking Calendar version 1.1.23 was also vulnerable; and prior versions were affected too. It failed to sufficiently sanitize user-supplied data before using it in an SQL query . This Vulnerability was discovered by: Joaquin Ramirez Martinez [i0 security-lab]

A unauthenticated SQL injection flaw was discovered within the latest WordPress 
appointment-booking-calendar plugin version 1.1.23.

Timeline – PHP Object Injection Vulnerability

  • April 18, 2022 – A new firewall rule protects clients. Security experts are the ones who begin the disclosure procedure. It’s up to the plugin’s developer to ensure the contact method works.
  • April 19, 2022- Security experts sent the plugin developer the complete disclosure.
  • April 21, 2022 – The release of a new version of the Booking Calendar plugin, 9.1.1.

Conclusion – WordPress Booking Calendar Plugin PHP Object Injection

The Booking Calendar plugin has an Object Injection vulnerability, discussed earlier. Customers are protected from this vulnerability. To avoid the risk until May 18, 2022, users can update the Booking calendar plugin to version 9.1.1, which has been fixed.

threat intelligence team provides Incident Response services if you feel your WordPress site is hacked due to this vulnerability or any other WordPress vulnerabilities. Our team delivers the cleanup service with a 1-hour response time and 24-hour availability. Hands-on help is available too.