cbcvebase.
CVE-2021-24145
published 2021-03-18

CVE-2021-24145: Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones…

PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
88.16%
99.7th percentile
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

Affected

1 ranges
VendorProductVersion rangeFixed in
webnusmodern_events_calendar_lite< 5.16.55.16.5

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/admin.php?page=MEC-ix&tab=MEC-import
path/wp-content/uploads/{{randstr}}.php
commandimport-start-bookings
  • Detect PHP file upload disguised as CSV: multipart POST to the MEC import endpoint with Content-Type: text/csv but a .php filename in the Content-Disposition header.
  • Monitor POST requests to wp-admin/admin.php?page=MEC-ix&tab=MEC-import with multipart boundary and a filename ending in .php for authenticated RCE attempts.
  • Alert on GET requests to /wp-content/uploads/*.php following a POST to the MEC import endpoint, indicating successful webshell upload and execution.
  • Look for the mec-ix-action form field value 'import-start-bookings' in multipart POST bodies as a trigger indicator for the exploit workflow.
  • ·Exploitation requires an authenticated administrator account; the vulnerability is not exploitable by unauthenticated users.
  • ·Only plugin versions before 5.16.5 are vulnerable; version 5.16.5 and later include the fix.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.