WordPress Plugin Vulnerabilities

Event Espresso Lite < 3.1.37.12.L - Authenticated Blind SQL Injection

Description

The Event Espresso - Lite Event Management and Registration System WordPress plugin was affected by an Authenticates Blind SQL Injection security vulnerability.

Affects Plugins

Plugin icon
event-espresso-free
Fixed in 3.1.37.12.L

References

CVE
CVE-2017-1002026
URL
http://www.vapidlabs.com/advisory.php?v=197
URL
https://plugins.trac.wordpress.org/changeset/1694666/event-espresso-free

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
73db717d-4eec-4ff5-9843-dc59c83b4ca3

Timeline

Publicly Published
2017-07-04 (about 8 years ago)
Added
2017-08-16 (about 8 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2024-09-18
Title
Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection
Published
2022-08-23
Title
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
Published
2023-06-05
Title
WP Brutal AI < 2.0.0 - SQL Injection via CSRF
Published
2022-05-09
Title
Note Press <= 0.1.10 - Admin+ SQLi via Update
Published
2025-02-14
Title
WP Project Manager < 2.6.18 - Authenticated (Subscriber+) SQL Injection via orderby Parameter