Smart Appointment and Booking WordPress Plugin Missing Authorization Vulnerability in Cancel Booking Function

A vulnerability exists in the Smart Appointment & Booking plugin for WordPress, specifically in versions through 1.0.8. The issue arises from a missing capability check and a flaw in nonce validation within the 'saab_cancel_booking()' function. The nonce check incorrectly uses an AND operator, allowing unauthenticated attackers to cancel arbitrary bookings by providing a predictable booking ID.

Impact

Exploitation of this vulnerability allows for unauthorized cancellation of bookings, potentially disrupting scheduled appointments or reservations.

Reproduction

To reproduce this vulnerability, send a request to the 'saab_cancel_booking' AJAX action without authentication. Include a booking ID in the request. The absence of proper nonce validation will allow the cancellation to be processed, even though the request is not authorized.

Remediation

No patch is currently available for this vulnerability. Users are advised to uninstall the affected plugin and consider a replacement.