The Events Calendar Countdown Addon <= 1.4.15 - Missing Authorization
Description
The The Events Calendar Countdown Addon plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.4.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.4.15Source Code
WordPress.org SVNAs the source code for the **The Events Calendar Countdown Addon** plugin is not provided, this research plan is designed to first identify the specific vulnerable endpoint using automated discovery and then execute the exploit. ## 1. Vulnerability Summary The "The Events Calendar Countdown Addon" …
Show full research plan
As the source code for the The Events Calendar Countdown Addon plugin is not provided, this research plan is designed to first identify the specific vulnerable endpoint using automated discovery and then execute the exploit.
1. Vulnerability Summary
The "The Events Calendar Countdown Addon" plugin (up to 1.4.15) contains a missing authorization vulnerability. An AJAX handler (likely registered with wp_ajax_) fails to perform a capability check (e.g., current_user_can( 'manage_options' )) before executing a privileged action. This allows any authenticated user, including those with Subscriber privileges, to invoke the function. The "unauthorized action" typically involves modifying plugin settings, updating countdown configurations, or potentially altering database options.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action: (Inferred) An AJAX action such as
ecc_save_settings,ect_save_data, orcountdown_update_options. - Payload Parameters:
action=[ACTION_NAME],_ajax_nonce(if applicable), and various setting fields (e.g.,countdown_date,countdown_text). - Authentication: Subscriber-level credentials (
subscriber/subscriber). - Precondition: The plugin must be active.
3. Code Flow (Discovery Phase)
Since source files are absent, the first task is to locate the vulnerable hook.
- Entry Point Identification:
Search for AJAX registrations in the plugin directory:grep -rn "add_action.*wp_ajax_" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/ - Authorization Audit:
For each identified action, locate the callback function and check for:- Lack of
current_user_can(...). - Presence of
check_ajax_referer(...)orwp_verify_nonce(...).
- Lack of
- Trace Sink:
Examine the callback to see if it callsupdate_option(),update_post_meta(), or direct$wpdbqueries.
4. Nonce Acquisition Strategy
If the identified handler uses check_ajax_referer, we must extract the nonce.
- Identify Nonce Location:
Search forwp_localize_scriptorwp_create_noncein the plugin:grep -rn "wp_create_nonce" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/ - Determine Visibility:
Nonces used inwp_ajax_handlers are often localized to scripts loaded in the WordPress dashboard. Since Subscribers can access/wp-admin/profile.php, they can often leak these nonces. - Extraction:
- Navigate to
/wp-admin/profile.phpas a Subscriber. - Use
browser_evalto find the localization object. - Likely Variable (Inferred):
window.ecc_obj?.nonceorwindow.ect_admin?.ajax_nonce.
- Navigate to
5. Exploitation Strategy
Once the action and nonce are identified, follow these steps:
- Authenticate: Log in as
subscriber. - Identify Target Setting: Determine which option the plugin controls (e.g.,
ecc_countdown_settings). - Craft Request:
Construct a POST request toadmin-ajax.php.POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 Content-Type: application/x-www-form-urlencoded Cookie: [Subscriber Cookies] action=[IDENTIFIED_ACTION]&nonce=[EXTRACTED_NONCE]&target_option_key=malicious_value - Execute: Use the
http_requesttool to send the payload.
6. Test Data Setup
- Install Plugin: Ensure
countdown-for-the-events-calendarversion 1.4.15 is installed. - Create User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=subscriber - Configure Initial State: Create a dummy countdown or save initial settings to have a baseline for comparison.
wp option get [PLUGIN_OPTION_NAME]
7. Expected Results
- Response: The server returns a successful response (likely
1,true, or a JSON success message). - State Change: The plugin's configuration or a global WordPress option is updated to the value provided in the Subscriber's request.
8. Verification Steps
- Verify via CLI:
Check the database for the updated value:wp option get [PLUGIN_OPTION_NAME] - Confirm Lack of Auth:
Verify the code at the identified file/line:sed -n '[LINE_START],[LINE_END]p' [FILE_PATH]
Confirm thatcurrent_user_canis indeed missing from the function body.
9. Alternative Approaches
If the plugin does not use wp_ajax_, check for:
- Admin Init Hooks:
add_action( 'admin_init', ... )functions often process$_POSTdata and run on every admin page load (includingadmin-ajax.php) without proper authorization checks. - REST API:
grep -rn "register_rest_route" /var/www/html/wp-content/plugins/countdown-for-the-events-calendar/
Check if thepermission_callbackreturnstrueor is missing.
Summary
The Events Calendar Countdown Addon for WordPress (up to 1.4.15) is vulnerable to missing authorization in its AJAX handlers. This allows authenticated attackers with Subscriber-level privileges or higher to perform unauthorized actions, such as modifying plugin settings, because the server fails to verify user capabilities before executing privileged tasks.
Exploit Outline
To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user. They then extract a valid AJAX nonce, which is typically exposed in the WordPress dashboard via localized scripts (e.g., in window.ect_admin or similar objects). With the nonce, the attacker sends a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's vulnerable handler (such as 'ect_save_data') and includes the desired malicious configuration parameters in the payload. Since the plugin lacks a current_user_can() check, the request is processed as if it came from an administrator.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.