WordPress Appointment Booking Calendar Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the Appointment Booking Calendar plugin for WordPress, affecting versions through 1.6.10.6. The issue arises from flawed authorization logic in the 'nonce_permissions_check()' method, coupled with the public exposure of a site-wide reusable nonce. This public_nonce is accessible to unauthenticated users via the '/wp-json/ssa/v1/embed-inner' endpoint. The vulnerability allows attackers to manipulate appointment data through the '/wp-json/ssa/v1/appointments/{id}/delete' and '/wp-json/ssa/v1/appointments/bulk' endpoints, which require the exposed public nonce for deletion actions.

Impact

Exploitation of this vulnerability allows unauthenticated users to view, delete, or modify any appointment, potentially leading to unauthorized access to sensitive appointment information and disruption of booking records.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/ssa/v1/appointments/{id}/delete' endpoint, replacing '{id}' with the ID of the appointment to be deleted. Include an X-WP-Nonce header with an arbitrary value and an X-PUBLIC-Nonce header with the valid public nonce obtained from the '/wp-json/ssa/v1/embed-inner' endpoint.