Amelia WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Privilege Escalation

A vulnerability exists in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress, in all versions through 2.1.3. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Provider-level (Employee) access to escalate privileges. The vulnerability arises because the 'UpdateProviderCommandHandler' does not properly validate the 'externalId' field when providers update their profiles. This 'externalId' directly corresponds to a WordPress user ID and is sent to 'wp_set_password()' and 'wp_update_user()' without any authorization checks. As a result, an authenticated attacker could inject an arbitrary 'externalId' value to take over any WordPress account, including those of administrators.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling an authenticated user to take over any WordPress account by injecting a specific 'externalId' value during profile updates.

Reproduction

To reproduce this vulnerability, an authenticated user with Provider-level access can update their own profile through the WordPress admin interface. During the update, they can inject a different WordPress user ID into the 'externalId' field. Once the profile is updated, the 'wp_set_password()' and 'wp_update_user()' functions will be called with the injected ID, allowing the user to change the password and take over the account associated with that ID.

Remediation

Users are advised to update the Amelia WordPress plugin to version 2.2 or later, where this vulnerability has been patched.