CVE-2015-2196

NUCLEI

Spider Event Calendar 1.4.9 - SQL Injection via cat_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-2196. PoCs published by Mateusz Lach. A Nuclei detection template is also available.

AI-analyzed exploit summary This PHP script exploits a SQL injection vulnerability in WordPress Spider Event Calendar <= 1.4.9 by injecting malicious SQL queries via the 'cat_id' parameter to extract table names and user credentials.

Description

SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Mateusz Lach · phpwebappsphp

https://www.exploit-db.com/exploits/36061

View Code ZIP pw:eip

This PHP script exploits a SQL injection vulnerability in WordPress Spider Event Calendar <= 1.4.9 by injecting malicious SQL queries via the 'cat_id' parameter to extract table names and user credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Spider Event Calendar <= 1.4.9

No auth needed

Prerequisites: Target must have WordPress Spider Event Calendar <= 1.4.9 installed · Target must be accessible via HTTP

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Spider Calendar <=1.4.9 - SQL Injection

HIGHVERIFIEDby theamanrawat

References (1)

Core 1

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/36061

Scores

EPSS 0.0308

EPSS Percentile 87.1%

Details

CWE

CWE-89

Status published

Products (1)

web-dorado/spider_calendar 1.4.9

Published Mar 03, 2015

Tracked Since Feb 18, 2026