WordPress Plugin Event List <= 0.7.8 - SQL Injection

EDB-ID: 42173
Author: Dimitrios Tsagkarakis
Published: 2017-06-04
CVE: CVE-2017-9429
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 04-06-2017 
# Exploit Author: Dimitrios Tsagkarakis
# Website: dtsa.eu
# Software Link: https://wordpress.org/plugins/event-list/
# Version: 0.7.8
# CVE : CVE-2017-9429
# Category: webapps

1. Description:

SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
allows an authenticated user to execute arbitrary SQL commands via the id
parameter to wp-admin/admin.php.

2. Proof of Concept:

=1 AND SLEEP(10)

3. Solution:

The plugin has been removed from WordPress. Deactivate the plug-in and wait
for a hotfix.

4. Reference:



Related Posts