CVE-2021-24145

HIGH NUCLEI LAB

Webnus Modern Events Calendar Lite < 5.16.5 - Unrestricted File Upload

Title source: rule

Description

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

Exploits (3)

exploitdb WORKING POC

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50082

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by dnr6419 · poc

https://github.com/dnr6419/CVE-2021-24145

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Nguyen Van Khanh, Ron Jost · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_plugin_modern_events_calendar_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload

HIGHVERIFIEDby theamanrawat

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610

Scores

CVSS v3 7.2

EPSS 0.9130

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:5.7.0-php7.4-apache

https://github.com/dnr6419/CVE-2021-24145

https://github.com/rapid7/metasploit-framework

View in Library

Details

CWE

CWE-434

Status published

Products (1)

webnus/modern_events_calendar_lite < 5.16.5

Published Mar 18, 2021

Tracked Since Feb 18, 2026