StylemixThemes Addresses Authentication Bypass Vulnerability in BookIt WordPress Plugin

On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.

We contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: BookIt <= 2.3.7 – Authentication Bypass
Affected Plugin: Booking Calendar | Appointment Booking | BookIt
Plugin Slug: bookit
Affected Versions: <= 2.3.7
CVE ID: CVE-2023-2834
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/
Researcher/s: Lana Codes
Fully Patched Version: 2.3.8

The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

Technical Analysis

The BookIt plugin provides the shortcode ‘[bookit]‘ to embed an appointment booking calendar into a page on a WordPress site. By using this functionality, after selecting the date and time in the calendar, it is possible to book an appointment by providing the name, email address, and password for registration.

Examining the code reveals that the plugin checks for the user id based on the email address supplied via the ‘email’ parameter. If the email belongs to an existing WordPress user, it will associate the request to that user and set the authentication cookies for that user.

public static function get_customer( $data ) {
		
	if ( ! empty( $data['user_id'] ) ) {
		$id = Customers::get('wp_user_id', $data['user_id'])->id;
	} else {
		$id = Customers::get('email', $data['email'])->id;
	}

	$settings = SettingsController::get_settings();
	if ( $settings['booking_type'] == 'registered' && !is_user_logged_in() ) {
		$data['role']    = User::$customer_role;
		$data['user_id'] = Customers::save_or_get_wp_user($data);
		/** Authorize wp User */
		wp_clear_auth_cookie();
		wp_set_current_user ( $data['user_id'] );
		wp_set_auth_cookie  ( $data['user_id'] );
	}

The get_customer method in the CustomerController class

public static function save_or_get_wp_user($data) {

	$is_exist_user = get_user_by_email($data['email']);
	if ( $is_exist_user ) {
		return $is_exist_user->data->ID;
	}

The save_or_get_wp_user method in the Customers class

Unfortunately, this functionality was insecurely implemented as it does not include any authentication checks such as password verification. It is simply looking for an identity and authorizing that claim without proper verification and authentication.

This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, this makes it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.

Disclosure Timeline

May 22, 2023 – Discovery of the Authentication Bypass vulnerability in BookIt.
May 22, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
May 23, 2023 – The vendor confirms the inbox for handling the discussion.
May 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 13, 2023 – A fully patched version of the plugin, 2.3.8, is released.
June 21, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we have detailed an Authentication Bypass vulnerability within the BookIt plugin affecting versions 2.3.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to accounts of users, if the attacker knows the email address. The vulnerability has been fully addressed in version 2.3.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of BookIt as soon as possible.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Did you enjoy this post? Share it!

Comments

2 Comments
  • Hi!
    No need to publish my comment.

    Just reporting a possible typo in the Disclosure Timeline section. I think the last date should be June 21 instead of July to match the second paragraph.

    Thanks for all you do!

    • Hi Sam, thanks for pointing that out! We've updated the article accordingly.