I’ll pass this on to the development team for their comment.
can you please send us more information if you have any as well as a link to that page if possible to:
security at wp-events-plugin.com
looking at this I’m not sure how this could be a vulnerability and seems like a false-positive. that paramenter isn’t used in SQL so it could’t constitute an SQL vulenerability
please take down that image as well and contact us directly in case it is real so that it isn’t out in the open
Thread Starter
ArDP
(@ardp)
Apologies, it’s not letting me edit my topic, as it’s beyond the hour point – I did “Report Image as Offensive” on Tinypic to have it removed, though. Feel free to delete this topic if you have the ability, and I will e-mail you folks as much info as I have available.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
He doesn’t have the ability to delete or edit this topic but I do. I’ve removed the image link.
Thread Starter
ArDP
(@ardp)
Thank you Jan.
Did you folks receive my e-mail?
upon further inspection, it is a false-positive and not a vulnerability at all.
ajaxCalendar (the supposedly vulnerable parameter in the URL) is simply checked whether it’s ‘on’ or ‘off’ and based on that calendar data is returned. The rest of the request is sanitized so only relevant arguments with valid values are passed onto our objects for querying. It’s not used in any way for constructing an SQL statement.
I’m not sure why it’s flagging that particular parameter, because it could have said the same thing for any of them since it has no effect whatsoever from what I see.
thanks anyways for reporting!
