Vulnerability Description
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Timeline Calendar Project | Timeline Calendar | <= 1.2 |
Related Weaknesses (CWE)
References
- https://codevigilant.com/disclosure/2021/wp-plugin-timeline-calendar/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/14c75a00-a52b-430b-92da-5145e5aee30aExploitThird Party Advisory
- https://codevigilant.com/disclosure/2021/wp-plugin-timeline-calendar/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/14c75a00-a52b-430b-92da-5145e5aee30aExploitThird Party Advisory
FAQ
What is CVE-2021-24553?
CVE-2021-24553 is a vulnerability with a CVSS score of 7.2 (HIGH). The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL ...
How severe is CVE-2021-24553?
CVE-2021-24553 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24553?
Check the references section above for vendor advisories and patch information. Affected products include: Timeline Calendar Project Timeline Calendar.