Skip to content
GitLab
Closed
Issue created by Bastien Ho@bastienho👽Owner

Event post <= 5.9.5 is vulnerable to Local File Inclusion

Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to a security bug.

https://wordpress.org/plugins/event-post/

For the next 60 days, your plugin will simply say that it is no longer available for download. After that time, it will state that it was closed for a security issue.

What to Do Next

We understand this can be a shocking and painful email to receive. We do not close plugins lightly, and when it comes to security issues we attempt to balance the volume of users and the history of the developers with the severity and potential for damage of the report. We believe that leaving plugins open would put users at risk if we allowed them to download code that could be exploited, and once an exploit is reported, it is often acted upon by persons nefarious.

To help restore your plugin as quickly as possible, you are required to do the following:

  1. Review the report (listed below) and make corrections to prevent it from being exploitable
  2. Perform a full security and standards review on your own code
  3. Install Plugin Check and run it against your plugin. IMPORTANT NOTE: All issues it finds must be fixed before your plugin will be re-reviewed or able to be re-listed in the Plugin Directory, regardless of their connection to the initial reported security vulnerability.
  4. Increase the plugin version
  5. Ensure the 'tested up to' version in your readme is the latest release of WordPress
  6. Update the code in SVN (do not send us a link to a repo or dropbox or a zip of the new files)
  7. Reply to this email and request a re-review

If you believe the report is not valid, and that your plugin is secure, please reply to this email to let us know. If the vulnerability is XSS or CSRF related, know that Chrome actually prevents those from working in their browser and you may need to check in Firefox or another browser.

Should you, for any reason, find you are unable to update the plugin, please let us know promptly so we can decide on the best course of action to take in order to protect the users. It's okay if you just can't fix this or don't want to.

Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it.

Please review our documentation on how to use SVN - https://developer.wordpress.org/plugins/wordpress-org/how-to-use-subversion/#best-practices - as improper SVN usage can delay our reviews.

When we re-review your code we will look at not just the changes, but the entire plugin, so there may be a delay. Rest assured, we prioritize reviews of security related issues above all else.

If you haven’t done so already, we strongly recommend setting up Plugin Check and running this before re-submission as ANY security and/or guideline violations it flags is required to be fixed before your plugin can be relisted. We recommend using this system in day-to-day development as it is capable of automatically catching a wide variety of the security and guideline violations we see on re-review.

Vulnerability Report

This is not a full review of your plugin.

Once you've replied, we will re-scan your entire plugin, looking for both security issues and guideline violations. Should we find other issues on a re-review, you will be required to fix those before we reopen your plugin.

We require this because if we found another security issue down the road, we would have to close your plugin again. We feel it's better for your reputation to have a plugin closed once and fixed rather than multiple times. In addition, there are some less than ethical companies who will absolutely 0-day your plugin if we reopen it while you're still working on security issues.

If you have any questions, please let us know.

Detailed report

Vulnerability description

Emili Castells discovered and reported this Local File Inclusion vulnerability in WordPress Event post Plugin to Patchstack.
See tips for patching this kind of vulnerability

How to reproduce

The plugin is vulnerable to Unauthenticated Local File Inclusion, this makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

It does not properly sanitize the file path in “generate_ics” method which is called from the non private ajax action “wp_ajax_nopriv_EventPostExport”.

As unauthenticated attacker run the following request to include "wp-config.php" file:

POST /wp-admin/admin-ajax.php?action=EventPostExport&event_id=1&format=../../../../../wp-config