WordPress Plugin Vulnerabilities

Simple Events Calendar <= 1.3.5 - Authenticated SQL Injection

Description

Type user access: administrator user.
$_POST[‘event_id’] is not escaped.

File / Code:

Path Request: /wp-content/plugins/simple-events-calendar/simple-events-calendar.php

Line : 467

$edit_event = $_POST['event_id'];
$update = $wpdb->get_results( " SELECT * FROM $table_name WHERE id = $edit_event ", "ARRAY_A" );

Proof of Concept

Affects Plugins

Plugin icon
simple-events-calendar
No known fix

References

URL
https://lenonleite.com.br/en/2017/11/03/simple-events-calendar-1-3-5-wordpress-plugin-sql-injection/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
Lenon Leite
Submitter website
http://lenonleite.com.br/
Submitter twitter
lenonleite
Verified
No
WPVDB ID
71109bb2-3497-40d8-ab05-1114b5e664c5

Timeline

Publicly Published
2017-11-03 (about 8 years ago)
Added
2017-11-12 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2026-03-20
Title
myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters
Published
2025-08-27
Title
Simple Download Monitor < 3.9.34 - Simple Download Monitor < 3.9.34 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality
Published
2026-02-17
Title
Taskbuilder < 5.0.3 - Authenticated (Subscriber+) SQL Injection via 'order' and 'sort_by' Parameters
Published
2022-04-27
Title
RSVPMaker < 9.2.7 - Unauthenticated SQLi
Published
2022-12-08
Title
Qe SEO Handyman <= 1.0 - Admin+ SQLi