A security vulnerability has been discovered in the Five Star Restaurant Reservations WordPress plugin (versions before 2.4.12) that allows unauthenticated users to change the payment status of arbitrary bookings. This security breach has been designated as CVE-2022-0421 and requires immediate attention from developers and website administrators using the affected plugin version. In addition to unauthorized payment status changes, attackers can exploit the lack of sanitisation and escaping to perform Cross-Site Scripting (XSS) attacks against a logged-in admin viewing the failed payment statuses. In this post, we'll go over the exploit details, provide code snippets, and link to original references for further reading.

Exploit Details

The vulnerability exists due to the absence of authorization checks when changing the payment status for bookings within the Five Star Restaurant Reservations WordPress plugin. Unauthenticated users exploiting this weakness can change the payment status for any booking, potentially causing reputational and financial damage to the affected businesses.

Moreover, the plugin's lack of data sanitisation and escaping could lead to an XSS attack, where an attacker injects malicious JavaScript code into the plugin's output. Should a logged-in admin view the injected code, an XSS attack may allow the bad actor to take over the victim's session, steal sensitive information, or perform unauthorized actions on behalf of the victim admin.

Code Snippet

The following code snippet demonstrates how the plugin processes payment status changes without verifying the user's authorization:

// No authorization check:
function rtb_update_payment() {
  global $wpdb;
  $booking_id = $_POST['id'];
  $new_payment_status = $_POST['new_payment_status'];

  // Update the payment status in the database
  $wpdb->update(
    'bookings_table',
    array('payment_status' => $new_payment_status),
    array('ID' => $booking_id)
  );

  // ... (rest of the code)
}

To fix the vulnerability, developers should add authentication checks and sanitize input data by modifying the code as follows:

// Add authentication and capability check:
function rtb_update_payment() {
  // Verify nonce and authorization.
  check_ajax_referer('rtb-update-payment', '_ajax_nonce', true);
  if (!current_user_can('manage_options')) {
    wp_die(-1);
  }

  // Sanitize input data
  $booking_id = (int) $_POST['id'];
  $new_payment_status = sanitize_text_field($_POST['new_payment_status']);

  // ... (rest of the code)
}

For more details on this vulnerability, please refer to these trusted sources

- CVE-2022-0421 on NVD (National Vulnerability Database)
- Five Star Restaurant Reservations WordPress Plugin Changelog (includes information on version 2.4.12)

Conclusion

If you are using the Five Star Restaurant Reservations WordPress plugin on your website, it is critical to update plugin to version 2.4.12 or later to protect your site from potential CVE-2022-0421 exploits. This vulnerability not only risks unauthorized payment status changes but also puts your website at risk for XSS attacks, potentially exposing confidential information and negatively impacting your site's reputation. Always stay proactive in keeping your plugins and software up-to-date, and consider implementing other best practices for website security to minimize the risk of future vulnerabilities.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:45:00 UTC