Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for WordPress, was recently discovered by Denver Jackson, a member of the Patchstack Alliance community.

This vulnerability in the plugin, which boasts over 10,000 active installations, allowed any unauthenticated user to gain administrative access to the affected sites, putting them at significant cybersecurity risk.

The flaw resides in the /wp-json/eventin/v2/speakers/import REST API endpoint of the Eventin plugin.

Due to a lack of proper permission checks, any individual could manipulate this endpoint to escalate their privileges to an administrative level.

This escalation was possible because the function responsible for validating user permissions, import_item_permissions_check(), simply returned true without any actual checks, thereby permitting unauthenticated access.

The endpoint could be exploited by uploading a CSV file containing user details, including the desired role, set to administrator.

When processed, this functionality would create a new user with full administrative rights, enabling attackers to reset the password and gain full control over the site.

Technical Breakdown

Upon investigation, the import_item_permissions_check function in the SpeakerController.php file did not perform any actual checks:

phppublic function import_item_permissions_check( $request ) {
    return true;
}

This allowed any user to access the endpoint. Following this, the import_items function processes the uploaded file:

phppublic function import_items( $request ) {
    $data = $request->get_file_params();
    $file = !empty($data['speaker_import']) ? $data['speaker_import'] : '';

    if (!$file) {
        return new WP_Error('empty_file', __('You must provide a valid file.', 'eventin'), ['status' => 409]);
    }

    $importer = new SpeakerImporter();
    $importer->import($file);

    $response = [
        'message' => __('Successfully imported speaker', 'eventin'),
    ];

    return rest_ensure_response($response);
}

The SpeakerImporter class then reads the file and creates new users with roles as specified in the data, which could lead to the creation of unauthorized administrators:

phpprivate function create_speaker() {
    // ... [code for processing file data]
    $args = [
        // ... other user details,
        'role' => ! empty( $row['role'] ) ? $row['role'] : '',
    ];
    $speaker->create($args);
}

The Patch

According to the Report, Version 4.0.27 of the Eventin plugin addresses this vulnerability by adding a robust permission check within the import_item_permissions_check() function and implementing a whitelist for permissible roles during user import:

phppublic function import_item_permissions_check( $request ) {
    if (!current_user_can('manage_options')) {
        return new WP_Error('rest_forbidden', __('You do not have permission to import users.', 'eventin'), ['status' => 403]);
    }
    return true;
}

This vulnerability underscores the critical nature of proper permission handling in software development.

For site administrators using Eventin, immediate action to update to version 4.0.27 or higher is recommended to safeguard their installations.

For developers, this incident serves as a reminder of the importance of not just implementing but also verifying the effectiveness of security measures to prevent such exploitable oversights.

Patchstack, the security firm that facilitated the bug bounty, has ensured that their customers are already protected against this vulnerability through their Enterprise API and security audit services, emphasizing the role of proactive security measures in web development.