Cross-Site Scripting in Calendar WordPress Plugin

Abstract

A Cross-Site Scripting vulnerability was found in the Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160725-0008

Tested versions

This issue was successfully tested on Calendar WordPress Plugin version 1.3.7.

Fix

This issue is resolved in Calendar version 1.3.8.

Introduction

The Calendar WordPress Plugin allows users to manage events and appointments and display them to the world. A Cross-Site Scripting vulnerability was found in the Calendar WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.

Details

For any page containing a calendar the GET request parameters are appended as hidden inputs when the calendar is configured to have a date switcher. The input isn't properly sanitised and allows an attacker to add attributes to the input, including events.

In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. In addition, the calendar must configured to have a date switcher. By default this is disabled.

Proof of concept

Given the post hello-world, which has a calendar, visit the page with the following URL:

http:///2016/06/22/hello-world/?foo=whoeiii%22%20accesskey=x%20onclick=alert(1);//

The key combination CTRL + ALT + x triggers the onclick event.

Questions or feedback?