CVE-2021-24145

HIGH NUCLEI LAB

Modern Events Calendar Lite < 5.16.5 - Arbitrary File Upload via CSV Import

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-24145. PoCs published by Ron Jost, dnr6419, Nguyen Van Khanh, Ron Jost, including Metasploit module exploits/multi/http/wp_plugin_modern_events_calendar_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an arbitrary file upload vulnerability in the Modern Events Calendar Lite WordPress plugin (versions before 5.16.5) by bypassing file type checks via the 'text/csv' content-type. It uploads a PHP shell (p0wny-shell) to achieve remote code execution.

Description

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

Exploits (3)

exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/50082

This exploit leverages an arbitrary file upload vulnerability in the Modern Events Calendar Lite WordPress plugin (versions before 5.16.5) by bypassing file type checks via the 'text/csv' content-type. It uploads a PHP shell (p0wny-shell) to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Modern Events Calendar Lite WordPress Plugin < 5.16.5
Auth required
Prerequisites: Valid WordPress administrator credentials · Access to the WordPress admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by dnr6419 · poc
https://github.com/dnr6419/CVE-2021-24145

This repository contains a functional exploit for CVE-2021-24145, an arbitrary file upload vulnerability in the Modern Events Calendar Lite WordPress plugin (versions before 5.16.5). The PoC authenticates as an admin, uploads a malicious PHP shell disguised as a CSV file, and achieves remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Modern Events Calendar Lite WordPress plugin < 5.16.5
Auth required
Prerequisites: Admin credentials for WordPress · Modern Events Calendar Lite plugin installed and activated
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Nguyen Van Khanh, Ron Jost · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_plugin_modern_events_calendar_rce.rb

This Metasploit module exploits an arbitrary file upload vulnerability in the WordPress Modern Events Calendar plugin (CVE-2021-24145) by bypassing file extension checks via the `text/csv` content-type, allowing authenticated attackers to upload and execute a PHP payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Modern Events Calendar < 5.16.5
Auth required
Prerequisites: Valid WordPress admin credentials · Modern Events Calendar plugin < 5.16.5 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
HIGHVERIFIEDby theamanrawat

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610

Scores

CVSS v3 7.2
EPSS 0.8816
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:5.7.0-php7.4-apache

Details

CWE
CWE-434
Status published
Products (1)
webnus/modern_events_calendar_lite < 5.16.5
Published Mar 18, 2021
Tracked Since Feb 18, 2026