Post Wed Mar 06, 2013 7:55 am

HTB23139: Multiple XSS vulnerabilities in Events Manager WordPress plugin

Advisory ID: HTB23139
Product: Events Manager WordPress plugin
Vendor: Marcus Sykes
Vulnerable Versions: 5.3.3 and probably prior
Tested Version: 5.3.3
Vendor Notification: January 16, 2013
Vendor Fix: January 17, 2013
Public Disclosure: March 6, 2013
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2013-1407
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab


Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in Events Manager WordPress plugin, which can be exploited to perform Cross-Site Scripting attacks.


1) Multiple XSS vulnerabilities in Events Manager WordPress plugin: CVE-2013-1407

1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "scope" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies:
  Code:
http://[host]/?page_id=42&scope=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E,%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E


1.2 The vulnerability exists due to insufficient filtration of user-supplied data in "_wpnonce" HTTP GET parameter passed to "/wp-admin/edit.php" script. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses "alert()" JavaScript function to display administrator's cookies:
  Code:
http://[host]/wp-admin/edit.php?post_type=event&page=events-manager-bookings&_wpnonce=%22%3E%3Cscrip t%3Ealert%28document.cookie%29;%3C/script%3E


1.3 The vulnerabilities exist due to insufficient filtration of user-supplied data in "user_name", "dbem_phone" and "user_email" HTTP GET parameters passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoCs (Proof-of-Concept) below use the "alert()" JavaScript function to display user's cookies:
  Code:
http://[host]/?event=1&user_name=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/?event=1&dbem_phone=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/?event=1&user_email=%27%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E


1.4 The vulnerability exists due to insufficient filtration of user-supplied data in "booking_comment" HTTP POST parameter passed to "/index.php" script. A remote attacker can trick user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

PoC (Proof-of-Concept) below uses the "alert()" JavaScript function to display user's cookies:
  Code:
<form action="http://[host]/?event=1" method="post" name="askform">
<input type="hidden" name="booking_comment" value="</textarea><script>alert(document.cookie);</script>"/>
<input type="submit" id="btn">
</form>

Vulnerabilities 1.3 and 1.4 will work only against unauthorized (not logged-in) users. Successful exploitation of these vulnerabilities also requires that event with id = 1 has turned-on registration.

Solution:
Upgrade to Events Manager 5.3.4

More Information:
http://wordpress.org/extend/plugins/eve ... changelog/
http://wp-events-plugin.com/blog/2013/0 ... ty-update/


References:
[1] High-Tech Bridge Advisory HTB23139 - https://www.htbridge.com/advisory/HTB23139 - Multiple XSS vulnerabilities in Events Manager WordPress plugin.
[2] Events Manager - wp-events-plugin.com - Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.