WordPress Booking Calendar plugin <= 9.2.1 - Cross-Site Request Forgery (CSRF) vulnerabiulity

Vulnerability

A Cross-Site Request Forgery vulnerability exists in the Booking Calendar plugin for WordPress (by WPdevelop/Oplugins) versions 9.2.1 and earlier. The flaw resides in the translation update functionality, which fails to validate or enforce a CSRF token. This allows an attacker to craft a malicious request that triggers a translation update when an authenticated administrator visits a crafted page or clicks a link [1][2].

Exploitation

An attacker must trick a logged-in WordPress administrator into clicking a malicious link or visiting a specially crafted page. No other authentication is required. The attacker does not need any prior network access; the malicious link or page can be hosted anywhere. The victim's browser automatically sends the forged request with their session cookies, performing the translation update [2].

Impact

Successful exploitation allows the attacker to initiate a translation update of the plugin. While the direct impact is limited to changing translation settings, this could be a stepping stone for further attacks, such as injecting malicious strings that might lead to stored XSS or other vulnerabilities. The attacker does not gain direct code execution but can modify the plugin's behavior [2].

Mitigation

The vendor released a fix in version 9.2.2 of the Booking Calendar plugin. Users are strongly advised to update to version 9.2.2 or later [2]. For users unable to update, consider implementing additional CSRF protection measures or limiting admin user interactions with untrusted content.