Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Event Calendar WD
The changelog for the latest version of Event Calendar WD indicates that some sort of cross-site scripting (XSS) vulnerability had been fixed, “Fixed: XSS vulnerabilities”. Looking at the changes made in that version various data is escaped before being output, but when we went to check this out what we found that was incompletely done.
As an example of that, take the file /views/ecwd-organizer-content.php, which is used to display the info about an event organizer on the frontend of the website. In that file the following line was changed:
111 | echo sprintf($organizer_website_html, "ecwd_organizer_website", $organizer_website, $organizer_website); |
That was changed to:
111 | echo sprintf($organizer_website_html, "ecwd_organizer_website", esc_url($organizer_website), $organizer_website); |
That escapes one value from that using esc_url(). But the same value is not escaped right after that. That needs to be done because the value is also output as HTML code, as that value replaces the second “%s” in the following code:
$organizer_website_html = '<div class="%s"><span>' . __('Website', 'event-calendar-wd') . ':</span><a href="%s">%s</a></div>';
That isn’t the only issue in just that file because several lines above the first code we mentioned there is this code that also should have had escaping added:
107 | echo sprintf($organizer_phone_html, "ecwd_organizer_phone", $organizer_phone); |
The data that lacks the escaping there can normally be created by user with as low a role as a contributor, though at least an Author level user is needed to publish an organizer page.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Proof of Concept
Create a new organizer, /wp-admin/edit.php?post_type=ecwd_organizer, with the Phone or Website value set to “<script>alert(“XSS”);</script>”. When visiting the page created by that, an alert box that says “XSS” will be shown.