Vulnerability: Multiple vulnerabilities in WordPress Spider Calendar
Danger: middle
Number of vulnerabilities: 2
Impact: Cross Site Scripting
Unauthorized manipulation of data
Affected products: WordPress Spider Calendar Plugin 1.x
Affected versions: WordPress Spider Calendar 1.0.1, possibly earlier.
Description:
The vulnerability allows a remote user to execute arbitrary SQL commands in the application database.
1. The vulnerability is caused due to insufficient input validation in the parameter “date” in the script front_end / spidercalendarbig.php. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.
2. The vulnerability is caused due to insufficient input validation in the parameter “calendar_id” in script front_end / spidercalendarbig_seemore.php (when the parameter “ev_ids” ID is available events). This can be exploited to execute arbitrary SQL commands in the application database.
Manufacturer URL: http://web-dorado.com/
Solution: The way to eliminate the vulnerability does not exist at present.
Links:
http://packetstormsecurity.org/files/117078/WordPress-Spider-1.0.1-SQL-Injection-XSS.html