PT-2021-16121 · WordPress · Availability Calendar

Xiahao@Webray.Com.Cn Inc

Published

2021-09-20

Updated

2021-10-01

CVE-2021-24606

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Availability Calendar WordPress plugin versions prior to 1.2.1

Description The issue arises from the failure to escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection problem. This can be exploited by any user able to add shortcode to posts or pages, such as those with contributor or higher privileges.

Recommendations For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to add shortcodes to posts or pages to only trusted users until the update can be applied.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24606

Affected Products

Availability Calendar

PT-2021-16121 · WordPress · Availability Calendar

CVE-2021-24606

Weakness Enumeration

Related Identifiers

Affected Products

References · 5