(6) exploitable XSS issues ALL Versions from version 1.4 to 1.8.2

Vendor Notification: 21 March 2012 Public Disclosure: 11 April 2012
As of 11/29/2012, This Issue has NO VENDOR SOLUTION. The article states the exposure started with 1.4 and I can confirm it was exploitable with the current version

To re-validate, create a new event, set the event title to ><script>alert(document.cookie);</script>
preview the event. if you see a popup

I re-validated as of 11-28-12, this IS exploitable today with a fully up to date WordPress site and fully up to date set of plugins including all-in-one event calendar.

Exposure: Any person capable of editing or creating an all-in-one event can set or be exploited to set the attack string which can steal WordPress credentials for the logged in session, infect normal or admin WordPress users roles with drive by download malware. Any site running over HTTP where events are added or edited can also be exploited to inject this persistent XSS to take blog users or admin users off site for drive by download, or credential exploit.
XSS is a vulnerability fully capable of fully compromising the affected user machine, including server if the admins hit an exploited page.

For remediation the affected values must be encoded. The Following WordPress security plugins are either not intended to prevent XSS or are ineffective at preventing exploit of this issue: including but not limited to Mute screamer, PHP IDS, AVH First Defense Against Spam and BPS Pro.

<rhetorical>Where are these remotely exploitable issues suppose to appear in the WordPress interface.

Perhaps a little public disclosure to more than the security researcher and hacker community might mitigate some un-managed risk. Seriously how hard is it to HTML encode or java script encode as applicable, 6 forms affected user space properties?

These remotely exploitable issues should display somewhere in the plugins management window, they should be required to display before installation or update of the plugin if unfixed</rhetorical>

CVE-2012-1835
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1835

Advisory ID: HTB23082
Product: All-in-One Event Calendar Plugin for WordPress
Vendor: The Seed Studio
Initial Vulnerable Version(s): 1.4 and probably prior Tested Version: 1.4 Vendor Notification: 21 March 2012 Public Disclosure: 11 April 2012 Vulnerability Type: Cross-Site Scripting (XSS) CVE Reference(s): CVE-2012-1835 Risk Level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.com/advisory/ )

———————————————————————————————–

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in All-in-One Event Calendar Plugin for WordPress, which can be exploited to perform Cross-Site Scripting (XSS) attacks.

1) Cross-Site Scripting (XSS) in All-in-One Event Calendar Plugin for WordPress: CVE-2012-1835

1.1 Input passed via the “title” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:

https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title%5Bid%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.2 Input passed via the “args”, “title”, “before_title”, “after_title” GET parameters to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

The following PoC (Proof of Concept) demonstrate the vulnerabilities:

https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args%5Bbefore_widget%5D=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before_title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.3 Input passed via the “button_value” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:

https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php?button_value=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

1.4 Input passed via the “msg” GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user’s browser session in context of the affected website.

The following PoC (Proof of Concept) demonstrates the vulnerability:

https://wp/wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php?msg=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Successful exploitation of these vulnerabilities (1.1-1.4) requires that “register_globals” is enabled.

———————————————————————————————–

Solution:

Currently we are not aware of any vendor-supplied patches or other solutions.

Edit the application source code to ensure that input is properly sanitized.

———————————————————————————————–

References:

[1] High-Tech Bridge Advisory HTB23082 – https://www.htbridge.com/advisory/HTB23082 – Multiple XSS vulnerabilities in All-in-One Event Calendar Plugin for WordPress.
[2] All-in-One Event Calendar Plugin for WordPress – https://theseednetwork.com/ – An event calendar system with month, week, agenda views, upcoming events widget, color-coded categories, recurrence, and import/export of .ics feeds.
[3] Common Vulnerabilities and Exposures (CVE) – https://cve.mitre.org/ – international in scope and free for public use, CVE? is a dictionary of publicly known information security vulnerabilities and exposures.

———————————————————————————————–

Disclaimer: The information provided in this Advisory is provided “as is” and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

If you write code, go to , read and understand and implement controls you can find at https://www.OWASP.org
You can not depend on WordPress or plugin security controls to mitigate YOUR code risks.