exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Booking Calendar 9.1 PHP Object Injection / Insecure Deserialization

WordPress Booking Calendar 9.1 PHP Object Injection / Insecure Deserialization
Posted Apr 27, 2022
Authored by Ramuel Gall | Site wordfence.com

WordPress Booking Calendar plugin versions 9.1 and below suffer from PHP object injection and insecure deserialization vulnerabilities.

tags | advisory, php, vulnerability
advisories | CVE-2022-1463
SHA-256 | ca383548169d539c9e3c7a8fb2058f0828391d09365e432f7376f20ec13cc507

WordPress Booking Calendar 9.1 PHP Object Injection / Insecure Deserialization

Change Mirror Download
On April 18, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.

We released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022.

We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.

Description: Insecure Deserialization/PHP Object Injection

Affected Plugin: Booking Calendar

Plugin Slug: booking

Plugin Developer: wpdevelop, oplugins

Affected Versions: <= 9.1

CVE ID: CVE-2022-1463

CVSS Score: 8.1(High)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Ramuel Gall

Fully Patched Version: 9.1.1

The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].

The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.

An attacker could control the serialized data via several methods:

- If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
- Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
- An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.

Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.

Despite the lack of a POP chain and complexity involved in exploitation, the potential consequences of a successful attack are so severe that Object Injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVpBSr3BkC5gW3zCRq11qNCJPW2qd3df4JnTTpN6klYVQ5js6JV3Zsc37CgG1_W4Cc2TH2cMdlnW5f7ykY58sLPNW4pvZXZ2RXFNBW7KbW7x7z0_PZVDPKzv1yW6N0W7v4Xbb94X562Vx_h734dKwtbW64FBwn4PkBrVW6K_MLr53zwDfW4VH96w95ZT3qW11tQ681xsy7DN1dXl29dh69DW4vpJ0h6nhGVSW5XzPFp40K1RFW5PCymh61jdV9W1WSKs76PKR7rV8vsw54MNkD5W1vSwjN3tdZZ0W6JnYnt1kphDLW5BMKJQ4R6zYYW41XMGF5lxxpWN8_KG5xf57l3VJ9Cpq8kNPCqN90_1c3m4f__W2WnhNh1YPPNGVXZkVx2fCwHNW218B8X4s27wRW8VQWWb9jbvCGVY7B375H-KWTW3DGsJC7yVVSRW2jTqcW3Y3VQ6W7jN8Sg7Y3H67V5dYPX7ZdWPjW74Cb_v3bWjCr3bzH1 ) if you’d like to find out more about how they work.

Timeline

April 18, 2022 - We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method.

April 19, 2022 - We send the full disclosure to the plugin developer.

April 21, 2022 - A patched version of the Booking Calendar plugin, 9.1.1, is released.

May 18, 2022 - The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close