CVE-2021-24145
published 2021-03-18CVE-2021-24145: Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones…
PriorityP268high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
88.16%
99.7th percentile
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webnus | modern_events_calendar_lite | < 5.16.5 | 5.16.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP file upload disguised as CSV: multipart POST to the MEC import endpoint with Content-Type: text/csv but a .php filename in the Content-Disposition header. ↗
- →Monitor POST requests to wp-admin/admin.php?page=MEC-ix&tab=MEC-import with multipart boundary and a filename ending in .php for authenticated RCE attempts. ↗
- →Alert on GET requests to /wp-content/uploads/*.php following a POST to the MEC import endpoint, indicating successful webshell upload and execution. ↗
- →Look for the mec-ix-action form field value 'import-start-bookings' in multipart POST bodies as a trigger indicator for the exploit workflow. ↗
- ·Exploitation requires an authenticated administrator account; the vulnerability is not exploitable by unauthenticated users. ↗
- ·Only plugin versions before 5.16.5 are vulnerable; version 5.16.5 and later include the fix. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
exploitdb·2021-07-02·CVSS 7.2
CVE-2021-24145 [HIGH] Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
---
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
# Date 01.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
# Version: Before 5.16.5
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24145
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md
'''
Description:
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5,
did not properly check the imported file, allowing PHP ones to be uploaded by
Metasploit
Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
metasploit
Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
This module allows an attacker with a privileged Wordpress account to launch a reverse shell due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar .php`
Nuclei
WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
nuclei·CVSS 7.2
CVE-2021-24145 [HIGH] WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
WordPress Modern Events Calendar Lite
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="mec-ix-action"
import-start-bookings
-----------------------------132370916641787807752589698875--
- |
GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- '{{md5(string)}}'
# digest: 490a0046304402207a2867ab4b0eaf11b1534be6f3b8e7c9e32af40e58946cad4e76ffae54f59967022023fe875624de6889b75eead3aa4055c11c244f75f5eeda938547b202637f651b:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
2021-03-18
Published