Cross Site Scripting (XSS) in [event_map] shortcode

Lien du rapport: https://patchstack.com/database/report-preview/741641b4-60b3-43ce-b1e7-a993f5b86ec3
Code PIN: v1kwoV9XFqLnPbfW

Vulnerability description

Peter Thaleikis discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Event post Plugin to Patchstack. See tips for patching this kind of vulnerability How to reproduce

The "Event post" plugin (slug: event-post) is vulnerable to stored XSS via shortcode(s). Versions up to, and including, 5.9.7 are vulnerable due to insufficient escaping of user-supplied input.

Proof of Concept

1. Install and activate the plugin.

2. Create a new post and set a start/end for the event in the editor sidebar under "Post" as well as a location by coordinates (see attached screenshot). Save and publish the post.

3. Sign in as a contributor in a new session/different browser, create a new post and paste the shortcode below before saving it:

[events_map future=true past=true geo=true pages=true width='10000px;height:10000px;max-height:10000px;max-width:100000px;position:absolute;left:-5000px;top:-5000px;z-index:1000000;background:rgba(0,0,0,0.5);opacity:0" onmouseover="alert(1)" x="' height="100%"]

3. Access the preview and enter the webpage using the mouse. The alert should trigger. Additional information by researcher

Stored XSS in shortcode(s) of "Event post"

The "Event post" plugin (slug: event-post) is vulnerable to stored XSS via shortcode(s). Versions up to, and including, 5.9.7 are vulnerable due to insufficient escaping of user-supplied input.

Root Cause

The shortcode is defined in inc/class-shortcodes.php:

12 class Shortcodes{
[...]
15 function __construct() {
16 //Shortcodes
17 add_action('init', array(&$this,'init'));
18 add_shortcode(apply_filters('eventpost_shortcode_slug', 'events_list'), array(&$this, 'shortcode_list'));
19 add_shortcode(apply_filters('eventpost_shortcode_slug', 'events_timeline'), array(&$this, 'shortcode_timeline'));
20 add_shortcode(apply_filters('eventpost_shortcode_slug', 'events_map'), array(&$this, 'shortcode_map'));

[...]
243 public function shortcode_map($_atts) {
[...]
286 $atts = shortcode_atts(apply_filters('eventpost_params', $defaults, 'shortcode_map'), $_atts);
[...]
296 return $this->EP->list_events($atts, 'event_geolist', 'shortcode'); //$nb,'div',$future,$past,1,'event_geolist');
297 }

is rendered in eventpost.php from line 1599 onwards and is vulnerable in line 1741:

1599 public function list_events($atts, $id = 'event_list', $context='') {
[...]
1733 if($id == 'event_geolist'){
1734 if($height==''){
1735 $height = '300px';
1736 }
1737 if($width==''){
1738 $width = '100%';
1739 }
1740 $attributes .= ' data-tile="'.$tile.'"
1741 data-width="'.$width.'"
1742 data-height="'.$height.'"
1743 data-zoom="'.$zoom.'"
1744 data-map_position="'.$map_position.'"
1745 data-latitude="'.$latitude.'"
1746 data-longitude="'.$longitude.'"
1747 data-pop_element_schema="'.$pop_element_schema.'"
1748 data-htmlPop_element_schema="'.esc_attr($htmlPop_element_schema).'"
1749 data-list="'.$list.'"
1750 data-disabled-interactions="';
1751 // add data-position avec ma variables
1752 foreach($this->map_interactions as $int_key=>$int_name){
1753 $attributes.=$atts[$int_key]==false ? $int_key.', ' : '';
1754 }
1755 $attributes.='" ';
1756 }
[...]
1805 return apply_filters('eventpost_listevents', $ret, $id.$this->list_id, $atts, $events, $context);
1806 }

Sources:

• https://plugins.trac.wordpress.org/browser/event-post/tags/5.9.7/inc/class-shortcodes.php
• https://plugins.trac.wordpress.org/browser/event-post/tags/5.9.7/eventpost.php

Impact

This makes it possible for authenticated attackers with contributor permissions or above to insert JavaScript that triggers when accessing the web-page by mouse. This could be, for example, leveraged to steal cookies or PII, as well as other attacks.

Remediation

The values should be passed through esc_attr to ensure proper escaping.

Proof of Concept

1. Install and activate the plugin.

2. Create a new post and set a start/end for the event in the editor sidebar under "Post" as well as a location by coordinates (see attached screenshot). Save and publish the post.

3. Sign in as a contributor in a new session/different browser, create a new post and paste the shortcode below before saving it:

[events_map future=true past=true geo=true pages=true width='10000px;height:10000px;max-height:10000px;max-width:100000px;position:absolute;left:-5000px;top:-5000px;z-index:1000000;background:rgba(0,0,0,0.5);opacity:0" onmouseover="alert(1)" x="' height="100%"]

3. Access the preview and enter the webpage using the mouse. The alert should trigger.

See researcher files below

d1cc5e7b-3a47-4809-905d-677cadf37b27.png How to disclose

To make the patching process easier and safer for all users, we recommend reading our memo about the most common vulnerabilities and the way these can be fixed. If you need help understanding some of the security concepts, don’t worry. That’s when we step in and help.

Please send us the patched version or code before releasing it, so we could help you avoid incomplete patches that could lead to inconveniences. Don’t delay security patch releases for other non-security updates. Ideally, security fixes would be released separately so users could update ASAP without fear of anything breaking. You can also join the free Patchstack mVDP program to have better control over the vulnerability patching and disclosure process.