logo
DATABASE RESOURCES PRICING ABOUT US

Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection

Description

The plugin did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to perform such SQL Injection.


Related