WordPress Simple Booking Calendar 1.3 Cross Site Request Forgery
Posted on 17 December 2015
Plugin Name : WP Simple Booking Calendar A8-Cross-Site_Request_Forgery_(CSRF) Effected Version : 1.3 (and most probably lower version's if any) Vulnerability : A8-Cross-Site Request Forgery (CSRF) Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Unauthenticated PoC - (Proof of Concept) : http://localhost/wp-admin/admin.php?page=wp-simple-booking-calendar&action=delete Vulnerable Parameter : action Impact : we can delete the any one calendar by single URL Fixed in : 1.4 http://wordpress.org/plugins/wp-simple-booking-calendar/changelog/ Disclosure Timeline Vendor Contacted : 2014-08-04 Plugin Status : Updated on 2014-08-07 Public Disclosure : October 3, 2015 CVE Number : Not assigned yet Plugin Description : Create a booking calendar for your website! Do you want to show people when your holiday home (or something else) is available for rent? You can create, edit and publish a booking calendar with just a few clicks with the WP Simple Booking Calendar. This booking calendar is very easy to use! You can manage the bookings (availability) on a daily basis and embedding the booking calendar on a page takes only one mouse click. You can also use the WP Simple Booking Calendar Widget to show a booking calendar on your WordPress website. Check out http://www.wpsimplebookingcalendar.com for more information about this booking calendar.