Nettitude have identified a Cross Site Scripting (XSS) vulnerability within Event Espresso Core.
Proof of Concept
Event Espresso accepts user input from the
The vulnerability was identified within a template file which was not intended to be called directly, however there are no controls limiting an unauthenticated user from doing so.
When a link containing the highlighted code is clicked by a target, their web browser makes the following HTTP request:
The impact of this vulnerability would vary depending on the affected website. An attacker could potentially exploit this issue in order to steal cookies, credentials, or other personally identifiable information (PII). Alternatively, the target user could be redirected to a malicious website or prompted to execute malware, etc.
This vulnerability affects Event Espresso Core version 4.10.6.p and below. The most recent vulnerable release is available from the following URL:
The affected template is as follows:
This vulnerability is caused by a request parameter being directly outputted to the page. There is no check to ensure the template has been loaded by WordPress, allowing it to be called directly.
The affected template was deprecated and removed from Event Espresso in version 4.10.7.p. As a result, this version is no longer affected.
Untrusted user input should be validated and HTML-encoded before it is outputted within the application response. Scripts and templates which are designed to be included within a WordPress plugin should include server-side checks to ensure they are not called directly.
- Discovery by Nettitude: 03 August, 2020
- Vendor fix released: 16 September, 2020 (prior to being notified by Nettitude)
- Vendor informed: 22 September, 2020
- CVE Assigned: 30 September, 2020
- Nettitude blog: 25 June, 2021