cbcvebase.
CVE-2021-24146
published 2021-03-18

CVE-2021-24146: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files…

PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
31.04%
98.0th percentile
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.

Affected

1 ranges
VendorProductVersion rangeFixed in
webnusmodern_events_calendar_lite< 5.16.55.16.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv
othermec-events
  • Detect unauthenticated GET requests to the MEC export endpoint. The request requires no authentication and targets the admin.php page with specific query parameters: page=MEC-ix, tab=MEC-export, mec-ix-action=export-events, and format=csv (or xml).
  • A successful exploitation response will contain the header value 'mec-events' and content-type 'text/csv' with HTTP status 200, indicating event data was exported without authentication.
  • Monitor for unauthenticated access to wp-admin/admin.php with query parameters containing 'MEC-ix', 'MEC-export', and 'export-events' — these are specific to the Modern Events Calendar Lite plugin export functionality exploited in CVE-2021-24146.
  • ·The exploit also supports XML format export in addition to CSV. Detection rules should account for both format=csv and format=xml variants of the export URL.
  • ·The vulnerability affects Modern Events Calendar Lite versions before 5.16.5. Installations already updated to 5.16.5 or higher are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.