CVE-2021-24606: Availability Calendar < 1.2.1 - Authenticated SQL Injection
First published: Mon Sep 20 2021(Updated: )
The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Steve Availability Calendar | <1.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for the Availability Calendar WordPress plugin?
The vulnerability ID for the Availability Calendar WordPress plugin is CVE-2021-24606.
What is the severity of CVE-2021-24606?
The severity of CVE-2021-24606 is high, with a severity value of 8.8.
How does CVE-2021-24606 affect the Availability Calendar WordPress plugin?
CVE-2021-24606 allows a user to perform SQL injection by exploiting the unescaped category attribute in the plugin's shortcode.
Which version of the Availability Calendar WordPress plugin is affected by CVE-2021-24606?
The Availability Calendar WordPress plugin version up to but excluding 1.2.1 is affected by CVE-2021-24606.
Is there a fix available for CVE-2021-24606?
Yes, updating the Availability Calendar plugin to version 1.2.1 or later fixes CVE-2021-24606.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/offshorewebmaster
- canonical/steve availability calendar