WordPress Booking Calendar Plugin Missing Authorization Vulnerability Allowing Sensitive Information Exposure

A vulnerability exists in the Booking Calendar plugin for WordPress, affecting all versions up to and including 10.14.11. The issue stems from missing authorization, which allows authenticated attackers with Subscriber-level access and above to access booking records from the database. This includes personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes of other users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including personal details and booking data.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site. The request should include the 'wpbc_ajx_booking_listing' action, which is handled by the 'ajax_WPBC_AJX_BOOKING_LISTING' function in the 'WPBC_AJX_Bookings' class. This function retrieves booking data without proper authorization checks, allowing access to all booking records, including sensitive information.

Remediation

Users are advised to update the Booking Calendar plugin to the latest version.