CVE-2021-24146
published 2021-03-18CVE-2021-24146: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files…
PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
31.04%
98.0th percentile
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webnus | modern_events_calendar_lite | < 5.16.5 | 5.16.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the MEC export endpoint. The request requires no authentication and targets the admin.php page with specific query parameters: page=MEC-ix, tab=MEC-export, mec-ix-action=export-events, and format=csv (or xml). ↗
- →A successful exploitation response will contain the header value 'mec-events' and content-type 'text/csv' with HTTP status 200, indicating event data was exported without authentication. ↗
- →Monitor for unauthenticated access to wp-admin/admin.php with query parameters containing 'MEC-ix', 'MEC-export', and 'export-events' — these are specific to the Modern Events Calendar Lite plugin export functionality exploited in CVE-2021-24146. ↗
- ·The exploit also supports XML format export in addition to CSV. Detection rules should account for both format=csv and format=xml variants of the export URL. ↗
- ·The vulnerability affects Modern Events Calendar Lite versions before 5.16.5. Installations already updated to 5.16.5 or higher are not vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
exploitdb·2021-07-02·CVSS 7.5
CVE-2021-24146 [HIGH] Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
---
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
# Date 01.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
# Version: Before 5.16.5
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24146
# CWE: CWE-863, CWE-284
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md
'''
Description:
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin,
versions before 5.16.5, did not properly restrict access to the export files,
allowing unauthenticat
Nuclei
WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
nuclei·CVSS 7.5
CVE-2021-24146 [HIGH] WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.
Template:
id: CVE-2021-24146
info:
name: WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
author: random_robbie
severity: high
description: WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.
impact: |
An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or database contents.
remediation: |
Update to the
http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.htmlhttps://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecchttp://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.htmlhttps://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
2021-03-18
Published