Booked Broken Authentication Scanner

Booked is a popular appointment booking plugin for WordPress, used widely by businesses and service providers to streamline appointment scheduling. It simplifies the booking process for clients and gives administrators an efficient method to manage schedules. Due to its widespread use, it is often integrated into various WordPress sites for sectors such as healthcare, consulting, and other appointment-based services. The plugin aims to enhance user experience by offering seamless interaction with booking systems directly through websites. Given its integration with critical business functions, any vulnerabilities within Booked significantly impact the operational flow. As such, timely identification and remediation of issues in Booked is crucial to maintaining business continuity and integrity.

A broken authentication vulnerability in Booked allows unauthorized access through inadequate capability checks. This vulnerability is present in multiple AJAX actions where checks on user permissions are either insufficient or missing entirely. As a result, attackers with at least subscriber-level credentials can perform actions beyond their assigned rights. This bypass can lead to unauthorized data exposure and escalated privilege actions, compromising the integrity and security of the affected WordPress site. Ensuring robust authentication checks is crucial in preventing such exploitations.

The vulnerability stems from the lack of comprehensive capability checks within certain AJAX functions. Attackers can exploit this by sending specifically crafted requests to these vulnerable endpoints, allowing them unauthorized access to sensitive functions. This includes operations tied to appointment management and potentially other administrative tasks. The endpoint '/wp-admin/admin-post.php' is critical due to its role in processing administrative actions. Correct implementation of role and capability checks can mitigate potential exploitations of these vulnerabilities.

If exploited, this vulnerability could lead to unauthorized access to sensitive information and alteration of booking data. Malicious actors could misuse this to disrupt scheduled operations, access confidential client information, or potentially escalate their privileges within the WordPress system. Such unauthorized actions could damage business reputation, lead to data breaches, and violate privacy regulations.

REFERENCES

• https://codecanyon.net/item/booked-appointments-appointment-booking-for-wordpress/9466968
• http://boxyupdates.com/changelog.php?p=booked
• https://wpscan.com/vulnerability/10107