WordPress Multi View Event Calendar SQL Injection Vulnerability Network Vulnerability

Summary

This host is installed with WordPress Multi View Event Calendar plugin and is prone to sql-injection vulnerability.

Impact

Successful exploitation will allow attacker to manipulate SQL queries in the backend database allowing for the manipulation or disclosure of arbitrary data. Impact Level: Application

Solution

No solution or patch is available as of 9th February, 2015. Information regarding this issue will be updated once the solution details are available. For updates refer to https://wordpress.org/plugins/cp-multi-view-calendar/

Insight

Input passed via the 'calid' GET parameter is not properly sanitized before being returned to the user.

Affected

CP Multi View Event Calendar version 1.01

Detection

Send a crafted data via HTTP GET request and check whether it is able to execute sql query or not.

References

http://1337day.com/exploits/22786
http://osvdb.com/113670
http://packetstormsecurity.com/files/128814
http://www.exploit-db.com/exploits/35073/

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe ColdFusion Information Disclosure Vulnerability
Admin Bot 'news.php' SQL Injection Vulnerability
Apache Tomcat AJP Protocol Security Bypass Vulnerability
4Images <= 1.7.1 Directory Traversal Vulnerability
Adobe ColdFusion Authentication Bypass Vulnerability

Take action and discover your vulnerabilities