CVE-2017-17616 – Event Calendar Category Script 1.0 - 'city' SQL Injection
https://notcve.org/view.php?id=CVE-2017-17616
Event Search Script 1.0 has SQL Injection via the /event-list city parameter. Event Search Script 1.0 tiene una inyección SQL mediante el parámetro city en /event-list. • https://www.exploit-db.com/exploits/43279 https://packetstormsecurity.com/files/145306/Event-Search-Script-1.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-12068 – Event List <= 0.7.9 - Unauthenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-12068
The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action. El plugin Event List en su versión 0.7.9 para WordPress tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el parámetro slug array para wp-admin/admin.php en una acción el_admin_categories delete_bulk. • https://github.com/kevins1022/cve/blob/master/wordpress-event-list.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9429 – Event List < 0.7.9 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2017-9429
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php. Una vulnerabilidad de inyección SQL en el plugin Event List versión 0.7.8 para WordPress, permite a un usuario autenticado ejecutar comandos SQL arbitrarios por medio del parámetro id en el archivo wp-admin/admin.php. The Event List plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions before 0.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Event List versions 0.7.8 and below suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/42173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-18576 – Event Notifier <= 1.2.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18576
The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation. El de notificación de eventos anterior a la versión 1.2.1 para WordPress tiene XSS a través de la animación de carga. • https://wordpress.org/plugins/event-notifier/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8586 – Calendar Event Multi View < 1.0.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-8586
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter. Vulnerabilidad de inyección SQL en el plugin CP Multi View Event Calendar 1.01 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro calid. SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter. • https://www.exploit-db.com/exploits/35073 http://osvdb.org/show/osvdb/113670 http://packetstormsecurity.com/files/128814/WordPress-CP-Multi-View-Event-Calendar-1.01-SQL-Injection.html http://www.exploit-db.com/exploits/35073 http://www.securityfocus.com/bid/70718 https://exchange.xforce.ibmcloud.com/vulnerabilities/97766 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •