An authenticated user can can exploit this vulnerability by editing an event. Each event has an id parameter which is not properly sanitized. An attacker cans exploit the vulnerable parameter and execute arbitrary SQL queries using blind based SQL injection.
Proof of Concept
In order to replay the attack, use the link below.
http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id=1 AND SLEEP(10)
In order to exploit this vulnerability, you can use automated tools like sqlmap and query the database using time delays.
- 04/06/2017 – Identification of the Vulnerability
- 04/06/2017 – Attempt to speak with the developer
- 04/06/2017 – Request for CVE
- 06/06/2017 – Contact with WordPress
- 06/06/2017 – The plug-in was removed from WordPress