[FD] DefenseCode ThunderScan SAST Advisory: WordPress Booking Calendar Multiple Security Vulnerabilities

DefenseCode ThunderScan SAST Advisory: WordPress Booking Calendar              Multiple Security Vulnerabilities Advisory ID:    DC-2017-12-005 Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities Advisory URL:   http://ift.tt/2rhPqdW Software:       WordPress Booking Calendar plugin Language:       PHP Version:        7.0/7.1 and below Vendor Status:  Vendor contacted, updates released Release Date:   2017/12/13 Risk:           Medium 1. General Overview =================== During the security audit of Booking Calendar plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://ift.tt/Vn2J4r 2. Software Overview ==================== Booking Calendar plugin - described by the authors as the ultimate booking system for online reservation and availability checking service for your site. According to wordpress.org, it has more than 40,000 active installs. Homepage: http://ift.tt/1kglEJL http://ift.tt/1hpgwPN http://ift.tt/2CAzZio 3. Vulnerability Description ============================ During the security analysis, ThunderScan discovered SQL injection and Local file inclusion vulnerabilities in Booking Calendar WordPress plugin. The easiest way to reproduce the SQL injection vulnerabilities is to send the specified parameter to the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerabilities provide to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. By requesting a specially crafted URL, the attacker can cause remote server to execute a php file of his choosing. Although the user requesting the URL has to be logged into the WordPress administrative console, the attacker can cause the administrator to request such a URL by using various social engineering/phishing approaches. Specified file will be interpreted by php interpreter, and any valid php code will indeed be executed. If the php installation on server has "allow_url_include=1" configuration option set, this attack can be expanded to execute a php file from any remote URL. If the php version is less than 5.3.4, the ".php" that gets appended to the end of the file name attacker chose can be omitted by adding a null character ("%00") to the requested URL, and enable the attacker to execute any file, regardless of the extension. Due to the CSRF token needed to perform the attack the risk is lowered to medium. 3.1. SQL injection   Function: $wpdb->query()   Variable: $_POST[ "booking_id" ];   Vulnerable URL: /wp-admin/admin-ajax.php   File: booking\lib\wpbc-ajax.php        

Source: Gmail -> IFTTT-> Blogger