Some of the WordPress plugins are putting the websites at risk by creating a security flaw in the instance. The high-severity vulnerability on the Booking Calendar plugin is one of them; allowing attackers to exfiltrate data, execute remote code, or completely take over the website.
A high-severity vulnerability
WordFence Threat Intelligence team has published a whitepaper regarding the Booking Calendar plugin security flaw. The vulnerability can be tracked as CVE-2022-1463 and has a CVSS score of 8.1. The bug affects all the versions below 9.1.1, which is the fixed version of the Booking Calendar plugin. The team noticed the bug on the 18th of April. The developers of Booking Calendar patched the plugin in just 3 days; on the 21st of April.
According to WordFence’s whitepaper, the bug resides in the define_request_view_params_from_params function in the core/timeline/v2/wpbc-class-timeline_v2.php file; where the viewing options for the calendar pass in unserialized PHP format. Attackers can control serialized data by one of the methods below:
- If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
- Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
- An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it or obtaining the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using the first method.
Attackers can inject any PHP object if they can control the data unserialized by PHP. Executing arbitrary code, deleting files, and gaining full control of the website is also possible if a POP (property-oriented programming) chain is present; which does not exist in the Booking Calendar plugin. However, other plugins’ libraries might deliver POP chains; attackers will need to exploit them as well to elevate the Booking Calendar bug.
Updating the Booking Calendar plugin to 9.1.1 on WordPress websites is strongly recommended.