Bookster <= 1.1.0 - Unauthenticated Appointment Status Update

Description The plugin allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.

PoC

1. Open the Wordpress where the plugin is installed with default settings. 2. Create an appointment on a service offered. Select the agent and date of appointment. 3. Provide the user information. Such as name, email, phonenumber, Select the payment method and click on submit. 4. Intercept the traffic using burp-suite. Add the parameter “book_status” with value “approved” on “apptInput” json dictionary. 5. Submit the request and observed that the booking status is changed to approved.