Login Sign Up

CVE-2023-1977

8.8 HIGH
SSRF

📋 TL;DR

The Booking Manager WordPress plugin before version 2.0.29 has a Server-Side Request Forgery (SSRF) vulnerability that allows attackers with Subscriber-level privileges to make requests to internal network resources. This could lead to information disclosure, internal service enumeration, or attacks against internal systems. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Booking Manager WordPress Plugin
Versions: All versions before 2.0.29
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires at least Subscriber-level WordPress user account. Plugin must be installed and active.

📦 What is this software?

Booking Manager by Oplugins

View all CVEs affecting Booking Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains access to sensitive internal systems, exfiltrates data, or launches attacks against internal infrastructure from the compromised WordPress server.

🟠

Likely Case

Attacker maps internal network, discovers internal services, and potentially accesses internal systems with weak authentication.

🟢

If Mitigated

Limited to internal network reconnaissance with no critical systems exposed or properly segmented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with Subscriber privileges or higher. SSRF payloads can be delivered through plugin admin panel or shortcodes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.29

Vendor Advisory: https://wpscan.com/vulnerability/842f3b1f-395a-4ea2-b7df-a36f70e8c790

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Booking Manager plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.0.29+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Restrict User Registration

all

Disable new user registration or require administrator approval to prevent attackers from obtaining Subscriber accounts.

WordPress Settings > General > Membership: Uncheck 'Anyone can register'

Network Segmentation

linux

Restrict WordPress server's access to internal network resources using firewall rules.

iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

🧯 If You Can't Patch

  • Deactivate and remove the Booking Manager plugin entirely
  • Implement strict network egress filtering from the WordPress server

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Booking Manager version. If version is below 2.0.29, system is vulnerable.

Check Version:

wp plugin list --name=booking-manager --field=version

Verify Fix Applied:

Confirm Booking Manager plugin version is 2.0.29 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from WordPress server to internal IP addresses
  • Multiple failed authentication attempts followed by successful Subscriber login

Network Indicators:

  • HTTP requests from WordPress server to internal RFC1918 addresses with .ics file extensions or calendar-related parameters

SIEM Query:

source="wordpress.log" AND ("booking-manager" OR ".ics") AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

📊 Metadata

CVE ID: CVE-2023-1977
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: August 16, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON