漏洞概述 该漏洞涉及WordPress插件 ,具体在版本1.4.03中存在权限验证问题。攻击者可以通过构造特定的请求,绕过权限检查,从而访问或修改敏感数据。 影响范围 受影响版本: 1.4.03 影响功能:插件中的预约管理功能,特别是涉及用户权限的部分。 修复方案 1. 更新插件:建议用户立即更新到最新版本,以获取最新的安全补丁。 2. 代码审查:开发者应审查并修复代码中的权限验证逻辑,确保所有敏感操作都经过严格的权限检查。 3. 加强权限管理:在插件中增加更细粒度的权限控制,防止未授权访问。 POC代码 以下是从截图中提取的POC代码: ```php // 文件路径: appointment-booking-calendar/trunk/cpacb/cpacb_apps_en.inc.php // 第271-275行 if ($calender != '') { define('CPACB_CALENDAR_FIXED_ID', intval($calender)); } else if ($isadmin) { $users = $wpdb->get_results("SELECT user_login,ID FROM $wpdb-users WHERE user_login='" . esc_sql($user) . "'"); if (isset($users[0])) { define('CPACB_CALENDAR_USER', $users[0]->ID); } } // 第277-280行 if ($isadmin) { if ($calender != '') { define('CPACB_CALENDAR_FIXED_ID', intval($calender)); } else if ($isadmin) { $users = $wpdb->get_results("SELECT user_login,ID FROM $wpdb-users WHERE user_login='" . esc_sql($user) . "'"); if (isset($users[0])) { define('CPACB_CALENDAR_USER', $users[0]->ID); } } } // 第282-288行 else { define('CPACB_CALENDAR_USER', 0); } // 第289-295行 if ($isadmin) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第297-303行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第305-311行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第313-319行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第321-327行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第329-335行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第337-343行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner='" . CPACB_CALENDAR_USER . "' AND calendarid='0'"); } else if (defined('CPACB_CALENDAR_FIXED_ID')) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE id='" . CPACB_CALENDAR_FIXED_ID . "' AND calendarid='0'"); } else { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE calendarid='0'"); } // 第345-351行 if (defined('CPACB_CALENDAR_USER') && CPACB_CALENDAR_USER != 0) { $users = $wpdb->get_results("SELECT FROM " . CPACB_APPOINTMENTS_CONFIG_TABLE_NAME . " WHERE owner