Skip to content
GitLab
Closed
Issue created by Bastien Ho@bastienho👽Owner

Authenticated (Contributor+) Stored Cross-Site Scripting via events_cal Shortcode

Vulnerability Title: Event Post <= 5.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via events_cal Shortcode
CVE ID: CVE-2024-10186
CVSS Severity Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Organization: Wordfence
Vulnerability Researcher(s): Peter Thaleikis
Software Link(s): https://wordpress.org/plugins/event-post

Description

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's events_cal shortcode in all versions up to, and including, 5.9.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

Steps to replicate

  1. Install and activate the plugin.
  2. Sign in as a contributor in a new session/different browser, create a new post and paste the shortcode below before saving it:
    [events_cal date='" style="width:10000px;height:10000px;max-height:10000px;max-width:100000px;position:absolute;left:0px;top:0px;z-index:1000000;background:rgba(0,0,0,0.5);opacity:0" onmouseover="alert(1)" x="']
    Any of the other mentioned parameters above can be swapped out in the shortcode.
  3. Access the preview and move your mouse over the page. The alert(1) should trigger.

Impact

The vulnerability could be escalated to trick an admin into executing an undesired request in the context of the current session as well as other permission-dependent actions.

Any Known Public References https://wordpress.org/plugins/event-post/#developers

Recommended Solution

We recommend using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output. You can read more about the sanitization and escaping functions that WordPress has available at: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.

As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.