24 Oct

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Event Calendar WD

The changelog for the latest version of Event Calendar WD indicates that some sort of cross-site scripting (XSS) vulnerability had been fixed, “Fixed: XSS vulnerabilities”. Looking at the changes made in that version various data is escaped before being output, but when we went to check this out what we found that was incompletely done.

As an example of that, take the file /views/ecwd-organizer-content.php, which is used to display the info about an event organizer on the frontend of the website. In that file the following line was changed:

111
echo sprintf($organizer_website_html, "ecwd_organizer_website", $organizer_website, $organizer_website);

That was changed to:

111
echo sprintf($organizer_website_html, "ecwd_organizer_website", esc_url($organizer_website), $organizer_website);

That escapes one value from that using esc_url(). But the same value is not escaped right after that. That needs to be done because the value is also output as HTML code, as that value replaces the second “%s” in the following code:

$organizer_website_html = '<div class="%s"><span>' . __('Website', 'event-calendar-wd') . ':</span><a href="%s">%s</a></div>';

That isn’t the only issue in just that file because several lines above the first code we mentioned there is this code that also should have had escaping added:

107
echo sprintf($organizer_phone_html, "ecwd_organizer_phone", $organizer_phone);

The data that lacks the escaping there can normally be created by user with as low a role as a contributor, though at least an Author level user is needed to publish an organizer page.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

Create a new organizer, /wp-admin/edit.php?post_type=ecwd_organizer, with the Phone or Website value set to “<script>alert(“XSS”);</script>”. When visiting the page created by that, an alert box that says “XSS” will be shown.


Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *