WordPress Plugin Vulnerabilities

Availability Calendar < 1.2.1 - Authenticated SQL Injection

Description

The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+

Proof of Concept

With an account role as low as contributor, put the following in a page/post: [availabilitycalendar category="1) UNION select user(),user(),user(),user(),user(),user(),user() -- "]

Affects Plugins

Plugin icon
availability-calendar
Fixed in 1.2.1

References

CVE
CVE-2021-24606

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.5 (high)

Miscellaneous

Original Researcher
[email protected] inc
Submitter
[email protected] inc
Submitter twitter
lAmn9V6MU9Dfb8p
Verified
Yes
WPVDB ID
fe49f48a-f97a-44fe-8d71-be08e7ce4f83

Timeline

Publicly Published
2021-08-04 (about 2 years ago)
Added
2021-08-19 (about 2 years ago)
Last Updated
2022-04-09 (about 1 years ago)

Other

Published
Title
Published
2021-06-04
Title
GeoDirectory Location Manager < 2.1.0.10 - Multiple Unauthenticated SQL Injections
Published
2014-08-01
Title
WPtouch 1.9.8 - include/submit.php Multiple Parameter SQL Injection
Published
2014-08-01
Title
Social Slider <= 5.6.5 - social-slider-2/ajax.php rA Parameter SQL Injection
Published
2017-01-28
Title
FormBuilder <= 1.0.7 - Multiple Authenticated SQL Injection
Published
2023-06-23
Title
MStore API < 4.0.2 - Unauthenticated SQL Injection