Multiple vulnerabilities in WordPress Spider Calendar

Posted: October 6, 2012 in Vulnerabilities
Tags: , , , ,

Wordpress VulnerabilityVulnerability: Multiple vulnerabilities in WordPress Spider Calendar

Danger: middle
Number of vulnerabilities: 2
Impact: Cross Site Scripting
Unauthorized manipulation of data
Affected products: WordPress Spider Calendar Plugin 1.x

Affected versions: WordPress Spider Calendar 1.0.1, possibly earlier.

Description:

The vulnerability allows a remote user to execute arbitrary SQL commands in the application database.

1. The vulnerability is caused due to insufficient input validation in the parameter “date” in the script front_end / spidercalendarbig.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

2. The vulnerability is caused due to insufficient input validation in the parameter “calendar_id” in script front_end / spidercalendarbig_seemore.php (when the parameter “ev_ids” ID is available events). This can be exploited to execute arbitrary SQL commands in the application database.

Manufacturer URL: http://web-dorado.com/

Solution: The way to eliminate the vulnerability does not exist at present.

Links:

http://packetstormsecurity.org/files/117078/WordPress-Spider-1.0.1-SQL-Injection-XSS.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s