Booking Calendar Contact Form Insecure Direct Object Reference Vulnerability Allowing Calendar Takeover

A vulnerability exists in the Booking Calendar Contact Form plugin for WordPress, specifically in versions up to and including 1.2.63. The issue arises from an Insecure Direct Object Reference (IDOR) in the 'dex_bccf_admin_int_calendar_list.inc.php' file. This vulnerability allows authenticated attackers with Subscriber-level access and above to take over other users' calendars and access associated user data. The vulnerability is caused by a lack of proper validation on a user-controlled key, which could be exploited to manipulate calendar ownership and visibility of personal information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to and manipulation of users' calendar data, potentially allowing attackers to disrupt scheduling or booking processes.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'dex_bccf_admin_int_calendar_list.inc.php' file. The request must include a manipulated user-controlled key that references another user's calendar. This can be done by using the WordPress admin interface to access the calendar management features of the Booking Calendar Contact Form plugin.

Remediation

Users are advised to update the Booking Calendar Contact Form plugin to version 1.2.64 or later, where this vulnerability has been patched.