WordPress Event Calendar (Spider Event Calendar) <= 1.4.9 is vulnerable to SQL Injection

Unauthenticated

Published
2015-02-12

SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.

CVE

https://www.cve.org/CVERecord?id=CVE-2015-2196

CVSS

Score:9.8

Severity:Critical

Version: 1.4.9

There is a patch available in v1.5.0 and we strongly recommend you update to this version as soon as possible.