Free Booking Plugin for Hotels, Restaurants and Car Rentals eaSYNC Booking Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Free Booking Plugin for Hotels, Restaurants and Car Rentals - eaSYNC Booking, affecting all versions through 1.3.21. The vulnerability arises from inadequate validation of user-controlled input in the 'view_request_details' feature, enabling unauthenticated attackers to access details of any booking request. Although this issue was partially addressed in versions 1.3.18 and 1.3.21, the vulnerability still exists in the 1.3.21 version.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive booking details, potentially leading to privacy violations and unauthorized information disclosure.

Reproduction

To reproduce this vulnerability, send a request to the 'view_request_details' endpoint without proper authentication. Include a reference to a booking request in the request data. The absence of validation on the user-controlled key will allow access to the details of the specified booking request.

Remediation

Users are advised to update the plugin to version 1.3.22 or a newer patched version.