LRQA have identified a Cross Site Scripting (XSS) vulnerability within Event Espresso Core.

Event Espresso is a WordPress plugin which provides online event registration and ticket management. Versions 4.10.6.p and below allow remote attackers to inject arbitrary JavaScript or HTML via a URL parameter.

Proof of Concept

Event Espresso accepts user input from the page URL parameter, outputting it directly within the response without escaping HTML characters. As a result, it is possible to inject malicious JavaScript and HTML through a specially crafted GET request.

The vulnerability was identified within a template file which was not intended to be called directly, however there are no controls limiting an unauthenticated user from doing so.

Example request:

  • https://example.com/wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php?page="/><script>alert("XSS");</script><b

When a link containing the highlighted code is clicked by a target, their web browser makes the following HTTP request:

The application responds as follows, with the injected JavaScript inserted directly into the response, without being HTML-encoded.

As a result, the script is executed by the user’s web browser, opening a JavaScript alert:

The impact of this vulnerability would vary depending on the affected website. An attacker could potentially exploit this issue in order to steal cookies, credentials, or other personally identifiable information (PII).  Alternatively, the target user could be redirected to a malicious website or prompted to execute malware, etc.

Affected Component

This vulnerability affects Event Espresso Core version 4.10.6.p and below. The most recent vulnerable release is available from the following URL:

Affected template

The affected template is as follows:

  • wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php

This vulnerability is caused by a request parameter being directly outputted to the page. There is no check to ensure the template has been loaded by WordPress, allowing it to be called directly.

Conclusion

The affected template was deprecated and removed from Event Espresso in version 4.10.7.p. As a result, this version is no longer affected.

Patched release:

Untrusted user input should be validated and HTML-encoded before it is outputted within the application response. Scripts and templates which are designed to be included within a WordPress plugin should include server-side checks to ensure they are not called directly.

Timeline

  1. Discovery by LRQA: 03 August, 2020
  2. Vendor fix released: 16 September, 2020 (prior to being notified by LRQA)
  3. Vendor informed: 22 September, 2020
  4. CVE Assigned: 30 September, 2020
  5. LRQA blog: 25 June, 2021