Share
## https://sploitus.com/exploit?id=WPEX-ID:3CD1D8D2-D2A4-45A9-9B5F-C2A56F08BE85
When a guest make a booking via sending "action: package_app_public_action" and "mode: sendbooking" request (screenshot: https://i.imgur.com/ql7bqnl.png), there is a field "icalToken" in the response, screenshot: https://i.imgur.com/6hlNcgU.png

If the plugin has ical integration enabled, a threat actor can abuse this feature to download all the booking data, including email and name of all customers.

For example, this file is from demo site and has all the booking information: https://booking-package.saasproject.net/demo-booking/?id=1&ical=445976b9e3f3276019b4763fb138ad9895e0a641

screenshot: https://i.imgur.com/7mum5Jc.png