CVE-2017-9429: Event List Version v.0.7.8 Blind Based SQL Injection (SQLi)

Identification Date: 04/06/2017 Vendor Homepage: https://profiles.wordpress.org/mibuthu Software Link: https://wordpress.org/plugins/event-list/ An authenticated user can can exploit this vulnerability by editing an event. Each event has an id parameter which is not properly sanitized. An attacker cans exploit the vulnerable parameter and execute arbitrary SQL queries using blind based SQL injection. Proof of Concept In order to replay the attack, use the…

Continue Reading