cbcvebase.
CVE-2021-24946
published 2021-12-13

CVE-2021-24946: The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.41%
99.4th percentile
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue

Affected

1 ranges
VendorProductVersion rangeFixed in
webnusmodern_events_calendar_lite< 6.1.56.1.5

Detection & IOCsextracted from sources · hover to see the quote

otheraction=mec_load_single_page
  • Monitor HTTP requests (including unauthenticated) to wp-admin/admin-ajax.php with the parameter action=mec_load_single_page and anomalous/SQL-payload values in the 'time' parameter, indicative of blind time-based SQL injection attempts.
  • Alert on HTTP responses with status code 200 or 500 containing body strings 'The event is finished' or 'been a critical error' in conjunction with requests to the mec_load_single_page AJAX action, as these are used as oracle conditions for exploitation.
  • The vulnerability is exploitable by unauthenticated users; no session cookie or authentication token is required. Prioritize detections that fire on unauthenticated POST/GET requests to admin-ajax.php with this action.
  • The injection point is specifically the 'time' parameter (-p time in sqlmap). Flag requests where the 'time' parameter contains SQL metacharacters, sleep/benchmark payloads, or other SQLi patterns.
  • ·Vulnerability affects Modern Events Calendar Lite versions before 6.1.5 only. Installations running 6.1.5 or later are not affected.
  • ·The exploit targets the unauthenticated AJAX endpoint, meaning WAF/IDS rules should not restrict detection to authenticated sessions — all traffic to this endpoint must be inspected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.