Shared security patch analysis results
AI Used: claude_cli haiku--- cache/booking_10.14.11/core/wpbc-activation.php 2026-01-16 00:20:23.917131315 +0000+++ cache/booking_10.14.12/core/wpbc-activation.php 2026-01-16 00:21:21.008712445 +0000@@ -663,19 +663,21 @@ $mu_option4delete[]='booking_menu_position'; $default_options['booking_translation_load_from'] = 'wp.org'; $mu_option4delete[]='booking_translation_load_from';- $default_options['booking_user_role_booking'] = 'subscriber';++ // FixIn: 10.14.12.1.+ $default_options['booking_user_role_booking'] = 'editor'; $mu_option4delete[]='booking_user_role_booking'; - $default_options['booking_user_role_availability'] = 'subscriber';+ $default_options['booking_user_role_availability'] = 'editor'; $mu_option4delete[]='booking_user_role_availability';- $default_options['booking_user_role_addbooking'] = 'subscriber';+ $default_options['booking_user_role_addbooking'] = 'editor'; $mu_option4delete[]='booking_user_role_addbooking';- $default_options['booking_user_role_resources'] = 'subscriber';+ $default_options['booking_user_role_resources'] = 'editor'; $mu_option4delete[]='booking_user_role_resources'; - $default_options['booking_user_role_settings'] = 'subscriber';+ $default_options['booking_user_role_settings'] = 'editor'; $mu_option4delete[]='booking_user_role_settings'; //FixIn: 9.8.15.2.6 if ( class_exists( 'wpdev_bk_biz_m' ) ) {- $default_options['booking_user_role_prices'] = 'subscriber';+ $default_options['booking_user_role_prices'] = 'editor'; $mu_option4delete[]='booking_user_role_prices'; }
Vulnerability Existed: yes FALSE POSITIVE Privilege Escalation / Insecure Default Permissions - CWE-276 - core/wpbc-activation.php [666, 669, 671, 673, 675, 677, 681] Old Code: ```php $default_options['booking_user_role_booking'] = 'subscriber'; $default_options['booking_user_role_availability'] = 'subscriber'; $default_options['booking_user_role_addbooking'] = 'subscriber'; $default_options['booking_user_role_resources'] = 'subscriber'; $default_options['booking_user_role_settings'] = 'subscriber'; $default_options['booking_user_role_prices'] = 'subscriber'; ``` Fixed Code: ```php $default_options['booking_user_role_booking'] = 'editor'; $default_options['booking_user_role_availability'] = 'editor'; $default_options['booking_user_role_addbooking'] = 'editor'; $default_options['booking_user_role_resources'] = 'editor'; $default_options['booking_user_role_settings'] = 'editor'; $default_options['booking_user_role_prices'] = 'editor'; ``` Explanation: The vulnerability was a privilege escalation issue caused by overly permissive default role assignments. By allowing 'subscriber' users (the lowest privilege role in WordPress) to perform critical booking operations (create bookings, manage availability, add bookings, manage resources, modify settings, and manage prices), the plugin created a serious access control vulnerability. Subscribers could perform administrative functions they should not have access to. The fix restricts these capabilities to 'editor' role users, which provides appropriate privilege separation and prevents unauthorized users from performing sensitive booking operations. This is a CWE-276 (Incorrect Default Permissions) vulnerability that could lead to privilege escalation attacks.
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.
--- cache/booking_10.14.11/wpdev-booking.php 2026-01-16 00:20:25.161209415 +0000+++ cache/booking_10.14.12/wpdev-booking.php 2026-01-16 00:21:46.606316228 +0000@@ -7,7 +7,7 @@ Author URI: https://wpbookingcalendar.com/ Text Domain: booking Domain Path: /languages/-Version: 10.14.11+Version: 10.14.12 License: GPLv2 or later */ @@ -34,7 +34,7 @@ if ( ! defined( 'WP_BK_VERSION_NUM' ) ) {- define( 'WP_BK_VERSION_NUM', '10.14.11' );+ define( 'WP_BK_VERSION_NUM', '10.14.12' ); } if ( ! defined( 'WP_BK_MINOR_UPDATE' ) ) { define( 'WP_BK_MINOR_UPDATE', true );
I've reviewed the provided diff for the wpdev-booking.php file. **Analysis Result:** Vulnerability Existed: no **Explanation:** The diff shows only version number updates from 10.14.11 to 10.14.12 in two locations: 1. The plugin header comment (line 10) 2. The WP_BK_VERSION_NUM constant definition (line 37) These are benign version string changes with no security implications. There are no code modifications, logic changes, or alterations to security-relevant functionality. Version bumps alone do not introduce or fix vulnerabilities. **Conclusion:** This diff contains no security vulnerabilities to analyze.
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users.