Vulnerability in WP Events Schedule Plugincover image

Vulnerability in WP Events Schedule Plugin

Tim Bernhard

WordPressSecurity

This post is old. Codes, opinions and facts could be outdated.

Help to fix potential errors: GitHub

This is my first post of a vulnerability I discovered and reported.

It is not the first vulnerability I detected and reported though, a few years ago I found a way to send mails from and to addresses I should not be able to. That one lead to me being employed by the corresponding company to help manage their software systems. A story for another day.

Today, let me disclose a vulnerability in the program "Events Schedule" for WordPress. This Plugin allows you to set up a calendar view and corresponding posts. It also allows you to export posts resp. events as iCal events for your favorite calendar application.

Where is the problem?

The way the iCal export works was the problem: it used the parameters in the URL for the export, totally ignoring whether the URL data was corresponding to actual event data as entered in WordPress.

Why is this a problem?

The fact, that the data is not verified, enables the distribution of wrong information through fake, false or, worse, malicious calendar entries seemingly coming from a valid and trusted source (i.e. my website, or whoever is using your plugin).

A simple example: sports club XY is using this plugin to schedule their events. One of their players (A) is worse than some other player (B). That is why A wants B to not appear at a match, as otherwise, A has no chance to be let play. What A can do now, is send a link to B, something on the line of "Look, we have a match on this and this date in a place", where the place is a few thousand kilometers from where the match actually is, and where the link leads to the calendar entry, that is generated simply by adjusting the URL parameters. So B would go the wrong place and time and miss the match, while A would be playing the match with a guilty conscience.

What to do now?

The developers claim to be working on a new version of the plugin, and therefore, they will not fix this issue in the current one. The new version requires some time, so for the moment, users of the plugin are left alone with this issue.

The workaround possibilities are the following:

  • educate your users not to trust the links they get, even if they contain your URL,
  • switch to a different plugin,
  • disable the iCal functionality by uncommenting the code in the file ical.new.php (resp. wp-content/plugins/weekly-class/api/ical.new.php) (NOTE: you will need to do this over an over everytime there is an update to the plugin, if there is)
  • create a child plugin with the functionality disabled,
  • change the plugin code yourself to include a check,
  • etc.

In any case, the vulnerability is rather low severity in most contexts, I would say.

Timeline of Disclosure

26.3.2021, 17:30 GMT+2: Report to the theme developer:

Dear Support,

I would like to report an issue in your code that I consider a security issue.
The way the iCal export works, allows an evil entity to distribute fake/false or, worse,
malicious calendar entries seemingly coming from a valid and trusted source (i.e. my website, or whoever is using your plugin).

Please fix this issue, e.g. in such a way to allow export only of actually existing calendar entries.

Best regards,

Tim

26.3.2021, 19:43 GMT+2: Confirmation by the developers including declaring interest to fix the issue by total refactor of the iCal export.

6.4.2021, 20:40 GMT+2: Confirmation by the developers that I am allowed to write this up, despite no fix being available yet. Promise to publish version 3 of the plugin somewhen later, which is to include the required changes.

Webmentions

No webmentions found for this page.