[Plugin: Events Calendar] WARNING – Plugin vulnerable to SQL Injections | WordPress.org

Nick
(@ncrawford)

14 years, 11 months ago

Please note that in the current version, 6.7.9, the plugin opens WP to SQL injections when editing an event.

If you look in the “ec_management.class.php”, at line 186, the data from the edit event form is taken from the POST data and used without any sort of cleansing. The comments state that “stop using $wpdb->escape. We are now using wpdb->insert in EC_DB. So no need to do it here”; however, this is not true.

If you look at line 261 in “ec_db.class.php”, you will see that the arguments (passed as POST data) is used directly in a plain SQL query, and it does not use wpdb->insert.

http://wordpress.org/extend/plugins/events-calendar/

Viewing 1 replies (of 1 total)

davidryedale
(@davidryedale)

14 years, 11 months ago

Developer confirms a fix: website

Viewing 1 replies (of 1 total)

The topic ‘[Plugin: Events Calendar] WARNING – Plugin vulnerable to SQL Injections’ is closed to new replies.

1 reply
2 participants
Last reply from: davidryedale
Last activity: 14 years, 11 months ago
Status: not resolved