CVE-2021-24946

CWE-89 — SQL Injection6 documents6 sources

Severity

9.8CRITICAL

EPSS

60.1%

top 1.73%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Unknown Modern Events Calendar Lite Webnus Modern Events Calendar Lite

Timeline

PublishedDec 13

Latest updateJan 27

Description

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDwebnus/modern_events_calendar_lite< 6.1.5

▶CVEListV5unknown/modern_events_calendar_lite6.1.5 — 6.1.5

🔴Vulnerability Details

GHSA

GHSA-8cmg-w5hw-x6p6: The Modern Events Calendar Lite WordPress plugin before 6↗2021-12-14

▶

CVEList

Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection↗2021-12-13

▶

VulnCheck

webnus modern_events_calendar_lite Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2021

▶

💥Exploits & PoCs

Exploit-DB

WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)↗2022-01-27

▶

Nuclei

WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection

▶