ThreatPress

WordPress Vulnerabilities Database

Back

WordPress WP Events Calendar plugin <= 1.0 - SQL Injection (SQLi) vulnerability

Product
WP Events Calendar
Description
SQL Injection (SQLi) vulnerability found by Ozkan Mustafa Akkus in premium WordPress WP Events Calendar plugin (versions <= 1.0). An attacker can perform attacks via calendar ajax queries. However, this plugin is fully PHP-enabled. You can run SQL query with "month" and "year" parameters.
Solution
5 June 2018 - we were unable to find an updated version or its changelog.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
Packet Storm
CVE
Name CVE-N/A
Versions
Affected In <= 1.0
Disclosure date
2018-06-05
Credits
Ozkan Mustafa Akkus
Submitter
ThreatPress