Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress BookIt 2.3.7 Authentication Bypass

WordPress BookIt plugin versions 2.3.7 and below suffer from an authentication bypass vulnerability.

Packet Storm
#vulnerability#web#wordpress#intel#auth
On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.We contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch.We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible.READ THIS POST ON THE BLOGVulnerability Summary from Wordfence IntelligenceDescription: BookIt <= 2.3.7 – Authentication Bypass Affected Plugin: Booking Calendar | Appointment Booking | BookItPlugin Slug: bookitAffected Versions: <= 2.3.7CVE ID: CVE-2023-2834CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/Researcher/s: Lana Codes Fully Patched Version: 2.3.8The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.Technical AnalysisThe BookIt plugin provides the shortcode ‘[bookit]‘ to embed an appointment booking calendar into a page on a WordPress site. By using this functionality, after selecting the date and time in the calendar, it is possible to book an appointment by providing the name, email address, and password for registration.Examining the code reveals that the plugin checks for the user id based on the email address supplied via the ‘email’ parameter. If the email belongs to an existing WordPress user, it will associate the request to that user and set the authentication cookies for that user.[View this code snippet on the blog]  Unfortunately, this functionality was insecurely implemented as it does not include any authentication checks such as password verification. It is simply looking for an identity and authorizing that claim without proper verification and authentication.This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, this makes it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.Disclosure TimelineMay 22, 2023 – Discovery of the Authentication Bypass vulnerability in BookIt.May 22, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.May 23, 2023 – The vendor confirms the inbox for handling the discussion.May 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 13, 2023 – A fully patched version of the plugin, 2.3.8, is released.July 21, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Authentication Bypass vulnerability within the BookIt plugin affecting versions 2.3.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to accounts of users, if the attacker knows the email address. The vulnerability has been fully addressed in version 2.3.8 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of BookIt as soon as possible.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Related news

CVE-2023-2834: BookIt by StylemixThemes WordPress plugin Authentication Bypass

The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. "This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution