CyberSec.Space Logo
Back to CVE Browser

CVE-2021-24943

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1510%
EPSS Percentile38.18th
PublishedDec 6, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.

Affected Platforms (CPE)

📦
Roundupwp

Registrations For The Events Calendar

< 2.7.6

References & Advisories

🔗 https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed
🔗 https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed

Related Vulnerabilities

CVE-2021-248766.1

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back ...

CVE-2021-250836.1

The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it ...

CVE-2021-4155610.0

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to ...

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.