EventON (Free < 2.2.7, Premium < 4.5.5) – Admin+ Stored Cross-Site Scripting | CVE 2023-6005 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to the EventON Lite settings and create/activate a custom metadata field. 
2. Then, insert the new custom metadata field.
3. Create a new Event itself and for the the Custom Meta Field value, insert the payload `" style=animation-name:rotation onanimationstart=alert(/XSS/)//`
4.The Stored XSS will be triggered when editing the event again.

Affects Plugins

Fixed in 4.5.5

Fixed in 2.2.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Miguel Santareno

Submitter

Miguel Santareno

Submitter website

https://miguelsantareno.github.io/

Submitter twitter

MiguelSantareno

Verified

Yes

WPVDB ID

fa4eea26-0611-4fa8-a947-f78ddf46a56a

Timeline

Publicly Published

2024-01-10 (about 4 months ago)

Added

2024-01-10 (about 4 months ago)

Last Updated

2024-01-10 (about 4 months ago)

Other

Published

Title

Published

2023-12-06

Title

Shortcodes and extra features for Phlox theme < 2.15.5 - Contributor+ Stored XSS

Published

2023-08-30

Title

Livestream Notice < 1.3.0 - Admin+ Stored XSS

Published

2016-02-07

Title

InstaLinker <= 1.1.1 - Reflected Cross-Site Scripting (XSS)

Published

2023-05-09

Title

ExactMetrics < 7.14.2 - Contributor+ Stored XSS

Published

2015-10-12

Title

Pie-Register <= 2.0.18 - Unauthenticated Reflected Cross-Site Scripting (XSS)