CVE-2021-24149 — SQL Injection in Modern Events Calendar Lite

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.9%

top 24.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webnus Modern Events Calendar Lite

Timeline

PublishedMar 18

Latest updateMay 24

Description

Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDwebnus/modern_events_calendar_lite< 5.16.6

🔴Vulnerability Details

GHSA

GHSA-5xcq-547q-fvjw: Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5↗2022-05-24

▶

CVEList

Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection↗2021-03-18

▶