WordPress Plugin Vulnerabilities

Xllentech English Islamic Calendar < 2.6.8 - Authenticated SQL Injection

Description

When deleting a date in the plugin, the year_number and month_number POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection.

Proof of Concept

Affects Plugins

Plugin icon
xllentech-english-islamic-calendar
Fixed in 2.6.8

References

CVE
CVE-2021-24341
URL
https://codevigilant.com/disclosure/2021/xllentech-english-islamic-calendar/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.7 (medium)

Miscellaneous

Original Researcher
Syed Sheeraz Ali of Codevigilant
Verified
Yes
WPVDB ID
1eba1c73-a19b-4226-afec-d27c48388a04

Timeline

Publicly Published
2021-05-27 (about 4 years ago)
Added
2021-05-27 (about 4 years ago)
Last Updated
2021-05-31 (about 4 years ago)

Other

Published
Title
Published
2025-07-11
Title
WordPress-WPJobBoard < 25.09000000-WP6.8.2-JB5.12.0 - Unauthenticated SQLi
Published
2024-01-16
Title
Burst Statistics Really Simple Plugins < 1.5.4 - Editor+ SQL Injection
Published
2016-01-30
Title
Simple Ads Manager < 2.9.5.118 - SQL Injection
Published
2023-01-23
Title
Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi
Published
2025-03-27
Title
Lead Form Data Collection to CRM < 3.1 - Authenticated (Contributor+) SQL Injection