PT-2017-13674 · WordPress · Event-Espresso-Free

Published

2017-09-27

Updated

2017-10-06

CVE-2017-14760

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions event-espresso-free plugin version 3.1.37.12.L

Description A SQL Injection issue exists in the event-espresso-free plugin for WordPress. The issue is related to the recurrence id parameter in the /includes/event-management/index.php file, which is accessible via the /wp-admin/admin.php endpoint.

Recommendations For event-espresso-free plugin version 3.1.37.12.L, consider restricting access to the /wp-admin/admin.php endpoint until a patch is available, and avoid using the recurrence id parameter to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-14760

Affected Products

Event-Espresso-Free

PT-2017-13674 · WordPress · Event-Espresso-Free

CVE-2017-14760

Weakness Enumeration

Related Identifiers

Affected Products

References · 3