WordPress Plugin Security Alert: Events Made Easy
Events Made Easy WordPress Plugin
Excerpt from WordPress:
Events Made Easy is a full-featured event management solution for WordPress. Events Made Easy supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy you can plan and publish your event, or let people reserve spaces for your weekly meetings. You can add events list, calendars and description to your blog using multiple sidebar widgets or shortcodes; if you are a web designer you can simply employ the template tags provided by Events Made Easy.
Excerpt as reported by David Sopas
Possible attack scenario:
- Malicious user checks that Events Made Easy is installed on a WordPress installation
- Malicious sends admin a link to the page that has this auto-submit form
- Without victim noticing, events older than 1 day will be removed.
David Sopas – https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/
WordPress Plugin – https://wordpress.org/plugins/events-made-easy/
Plugin Download – https://downloads.wordpress.org/plugin/events-made-easy.1.5.51.zip