MotoPress Appointment Booking <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter

2026-07-02 00:00
g0wthr

Strategic Overview

Status
Patched in 2.4.5
Affected Version<= 2.4.4
CVSS5.3Medium
CVECVE-2026-9180
View all MotoPress Appointment Booking vulnerabilities

Vulnerability Overview

The MotoPress Appointment Booking plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.4.4. This is due to the `POST /motopress/appointment/v1/bookings` REST endpoint being registered with `'permission_callback' => '__return_true'`, allowing unauthenticated access, while the `createBooking` handler in `BookingsRestController.php` accepts an attacker-supplied `payment_details.booking_id` value and loads the referenced booking via `findById()` without verifying that the caller owns or has any rights to that booking. This makes it possible for unauthenticated attackers to overwrite the customer name, email address, phone number, and `customer_id` of any non-confirmed victim booking by submitting a request with no reservation items, causing `BookingService::createBooking()` to load the existing victim booking object and persist it with attacker-controlled customer data. Victim booking IDs can be harvested prior to exploitation without authentication by querying the also-publicly-accessible `GET /motopress/appointment/v1/bookings/reservations` endpoint with a guessable `service_id` and date range, and only bookings whose status is not `STATUS_CONFIRMED` (e.g., pending or auto-draft) are valid targets.

Technical Analysis

REMEDIATION: Update to version 2.4.5, or a newer patched version --- IDENTIFIER: CWE-639 (Authorization Bypass Through User-Controlled Key) The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C