Availability Calendar < 1.2.1 – Authenticated SQL Injection | CVE 2021-24606 | Plugin Vulnerabilities

Description

The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+

Proof of Concept

With an account role as low as contributor, put the following in a page/post: [availabilitycalendar category="1) UNION select user(),user(),user(),user(),user(),user(),user() -- "]

Affects Plugins

availability-calendar

Fixed in 1.2.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

fe49f48a-f97a-44fe-8d71-be08e7ce4f83

Timeline

Publicly Published

2021-08-04 (about 2 years ago)

Added

2021-08-19 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Allow PHP in Posts & Pages < 2.1.0 - SQL Injection

Published

2023-04-19

Title

Booking calendar, Appointment Booking System < 3.2.8 - Admin+ SQLi

Published

2022-10-17

Title

WP < 6.0.3 - SQLi in WP_Date_Query

Published

2014-08-01

Title

Wordpress 2.2 - XML-RPC SQL Injection

Published

2014-08-01

Title

Zotpress <= 4.4 - SQL Injection