漏洞类别:CGI
漏洞等级: 
漏洞信息
WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system. CP Reservation Calendar is a booking calendar that allows selecting dates - ex: check-in and check-out dates - for a reservation.
Multiple SQL injection vulnerabilities in the implemented dex_reservations.php source file allows remote attackers to execute arbitrary SQL commands via the id parameter in a dex_reservations_calendar_load2 action or dex_item parameter in a dex_reservations_check_posted_data action in a request to the default URI. An unauthenticated, remote attacker can exploit the vulnerability by transmitting malicious HTTP GET requests to inject and execute arbitrary SQL commands in the targeted application's database.
Affected Versions:
CP Reservation Calendar plugin for WordPress prior to version 1.1.7
漏洞危害
Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.
解决方案
Customers are advised to install WordPress plugin CP Reservation Calendar 1.1.7 or later versions to fix this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论