Skip to content
GitLab
Closed
Issue created by Bastien Ho@bastienho👽Owner

Authenticated (Contributor+) Stored Cross-Site Scripting

Hi Apps,

We have found another vulnerability. The vulnerability's details are outlined below. Please note that this issue was discovered and responsibly reported to us by Peter Thaleikis. Any credit for the discovery of the vulnerability should be granted to them.

Vulnerability Title: Event post <= 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID: CVE-2025-2167
CVSS Severity Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Organization: Wordfence
Vulnerability Researcher(s): Peter Thaleikis
Software Link(s): https://wordpress.org/plugins/event-post

Description The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

Stored XSS in a shortcode of "Event post"

The "Event post" plugin (slug: event-post) is vulnerable to stored XSS via a shortcode. Versions up to, and including, 5.9.9 are vulnerable due to insufficient escaping of user-supplied input.

Impact

This makes it possible for authenticated attackers with contributor permissions or above to insert JavaScript that triggers when accessing the web-page. This could be, for example, leveraged to steal cookies or PII, as well as other attacks.

Root Cause

eventpost.php is vulnerable on line 1673:

1613 public function list_events($atts, $id = 'event_list', $context='') {
1614 $ep_settings = $this->settings;
1615 $defaults = array(
1616 'nb' => 0,
1617 'type' => 'div',
1618 'future' => true,
1619 'past' => false,
1620 'geo' => 0,
1621 'width' => '',
1622 'height' => '',
1623 'list' => 0,
1624 'zoom' => '',
1625 'map_position' => 'false',
1626 'latitude' => '',
1627 'longitude' => '',
1628 'tile' => $ep_settings['tile'],
1629 'pop_element_schema' => 'false',
1630 'htmlPop_element_schema' => '',
1631 'title' => '',
1632 'before_title' => '<h3>',
1633 'after_title' => '</h3>',
1634 'cat' => '',
1635 'tag' => '',
1636 'tax_name' => '',
1637 'tax_term' => '',
1638 'events' => '',
1639 'style' => '',
1640 'thumbnail' => '',
1641 'thumbnail_size' => '',
1642 'excerpt' => '',
1643 'orderby' => 'meta_value',
1644 'order' => 'ASC',
1645 'class' => '',
1646 'className' => '',
1647 'container_schema' => $this->list_shema['container'],
1648 'item_schema' => $this->list_shema['item'],
1649 'pages' => false,
1650 'paged' => '',
1651 );
1652 // Map UI options
1653 foreach($this->map_interactions as $int_key=>$int_name){
1654 $defaults[$int_key]=true;
1655 }
1656 $atts_old_nb = $defaults['nb'];
1657 if($id == "event_timeline"){
1658 $atts_old_nb = $atts['nb'];
1659 $atts['nb'] = 0;
1660 }
1661
1662 $atts = shortcode_atts(apply_filters('eventpost_params', $defaults, 'list_events'), $atts);
1663
1664 extract($atts);
1665 if (!is_array($events)) {
1666 $events = $this->get_events($atts);
1667 }
1668
1669 $ret = '';
1670 $this->list_id++;
1671 if (sizeof($events) > 0) {
1672 if (!empty($title)) {
1673 $ret.= html_entity_decode($before_title) . $title . html_entity_decode($after_title);
1674 }
[...]

Source(s):

https://plugins.trac.wordpress.org/browser/event-post/trunk/eventpost.php#L1673

Remediation

The value(s) should be passed through wp_kses to ensure proper filtering.

Proof of Concept

  1. Install and activate the plugin.

  2. Create a new post and set a start/end in the future for the event in the editor sidebar under "Post". Save and publish the post.

  3. Sign in as a contributor in a new session/different browser, create a new post and paste the shortcode below before saving it:

[events_list future=1 past=1 title=x before_title='&lt;script&gt;alert(1)&lt;/script&gt;']
  1. Access the preview. The alert should trigger.

Any Known Public References https://plugins.trac.wordpress.org/browser/event-post/trunk/eventpost.php#L1673

Recommended Solution We recommend using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output. You can read more about the sanitization and escaping functions that WordPress has available at: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.

As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.

Adam Goodlin Customer Support Engineer