cbcvebase.
CVE-2019-15774
published 2019-08-29

CVE-2019-15774: The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

PriorityP279medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.73%
74.8th percentile
The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting.

Affected

1 ranges
VendorProductVersion rangeFixed in
booking_projectbooking< 2.52.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=nd_booking_import_settings_php_function&nd_booking_value_import_settings=nd_booking_plugin_dev_mode%5Bnd_booking_option_value%5D1
path/wp-content/plugins/nd-booking/readme.txt
path/wp-content/plugins/nd-booking/
  • Exploit request targets the unauthenticated nopriv_ AJAX action `nd_booking_import_settings_php_function` via GET to /wp-admin/admin-ajax.php — no authentication required.
  • Successful exploitation returns one of two distinct response strings confirming the WordPress option was modified; match either string in HTTP response body to confirm exploitation.
  • Fingerprint vulnerable plugin installations by checking for the string 'Booking WP plugin' in /wp-content/plugins/nd-booking/readme.txt and version < 2.5.
  • Use Shodan query to discover exposed vulnerable instances.
  • Use FOFA query to discover exposed vulnerable instances.
  • Use PublicWWW query to discover exposed vulnerable instances.
  • ·The vulnerability allows unauthenticated modification of the WordPress `siteurl` setting (and other options such as `nd_booking_plugin_dev_mode`) via the exposed nopriv_ AJAX action, which requires no login or nonce.
  • ·The exploit is marked `intrusive` — sending the proof-of-concept request will actually modify the target site's WordPress options (e.g., enabling dev mode), not merely probe for the vulnerability.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.