Advisory ID: HTB23139
Product: Events Manager WordPress plugin
Vendor: Marcus Sykes
Vulnerable Versions: 5.3.3 and probably prior
Tested Version: 5.3.3
Vendor Notification: January 16, 2013
Vendor Fix: January 17, 2013
Public Disclosure: March 6, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-1407
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Events Manager WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks.


1) Multiple XSS vulnerabilities in Events Manager WordPress plugin: CVE-2013-1407

1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "scope" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies:

1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "_wpnonce" HTTP GET parameter passed to "/wp-admin/edit.php" script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses "alert()" JavaScript function to display administrator's cookies:

1.3 The vulnerabilities exist due to insufficient filtration of user-supplied data in "user_name", "dbem_phone" and "user_email" HTTP GET parameters passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoCs (Proof-of-Concept) below use the "alert()" JavaScript function to display user's cookies:

1.4 The vulnerability exists due to insufficient filtration of user-supplied data in "booking_comment" HTTP POST parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies:
Vulnerabilities 1.3 and 1.4 will work only against unauthorized (not logged-in) users. Successful exploitation of these vulnerabilities also requires that event with id = 1 has turned-on registration.

Solution:
Upgrade to Events Manager 5.3.4

More Information:
http://wordpress.org/extend/plugins/events-manager/changelog/
http://wp-events-plugin.com/blog/2013/01/22/5-3-5-released-includes-a-security-update/


References:
[1] High-Tech Bridge Advisory HTB23139 - https://www.htbridge.com/advisory/HTB23139 - Multiple XSS vulnerabilities in Events Manager WordPress plugin.
[2] Events Manager - wp-events-plugin.com - Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.