MotoPress Hotel Booking Authorization Bypass Vulnerability Allowing Unauthenticated Booking Notes Modification

A vulnerability exists in the MotoPress Hotel Booking plugin for WordPress, in all versions up to and including 6.0.1. The issue stems from the plugin's failure to properly verify user authorization for certain actions. This flaw enables unauthenticated attackers to overwrite or delete internal notes associated with bookings by providing an arbitrary booking ID. The nonce required for this action is available in the HTML source of every public page, allowing any unauthenticated visitor to obtain a valid nonce and execute the action without an account or prior interaction.

Impact

Exploitation of this vulnerability allows for unauthorized modification of booking notes, potentially leading to misinformation or disruption of booking management.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the 'wp_ajax_nopriv_mphb_update_booking_notes' action. This request must include a valid nonce, which can be obtained from the 'MPHB._data.nonces' variable available on public pages. The request should also include the 'booking_id' parameter with the ID of the booking whose notes are to be modified, and the 'notes' parameter with the new notes to be added or the existing notes to be deleted.

Remediation

Users are advised to update the MotoPress Hotel Booking plugin to version 6.0.2 or a newer patched version.