Events Calendar for GeoDirectory Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Events Calendar for GeoDirectory plugin for WordPress, affecting versions through 2.3.28. The issue arises in the ajax_ayi_action() handler, which inadequately sanitizes the attacker-controlled $_POST['type'] and $_POST['postid'] values before passing them to update_ayi_data(). This function then updates the user meta for the current user. By exploiting this flaw, an authenticated attacker with Subscriber-level access can manipulate their wp_capabilities user meta to gain Administrator privileges.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to escalate their privileges to Administrator.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the ajax_ayi_action() handler with the 'type' parameter set to 'wp_capabilities' and the 'postid' parameter set to 'administrator'. This can be done using a tool like Postman or through custom JavaScript that interacts with the WordPress admin-ajax.php file. The absence of proper sanitization allows the attacker to inject malicious data that is not properly validated or sanitized before being processed.

Remediation

Users are advised to update the Events Calendar for GeoDirectory plugin to version 2.3.29 or later.