CVE-2021-24946

CRITICAL EXPLOITED IN THE WILD NUCLEI

WordPress Modern Events Calendar SQLi Scanner

Title source: metasploit

Description

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue

Exploits (2)

exploitdb SCANNER

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50687

View Code ZIP pw:eip

metasploit WORKING POC

by h00die, Hacker5preme (Ron Jost), red0xff · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_modern_events_calendar_sqli.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection

CRITICALVERIFIEDby theamanrawat

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html

[Exploit, Third Party Advisory] https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445

Scores

CVSS v3 9.8

EPSS 0.6014

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-11-15

InTheWild.io 2022-05-31

CWE

CWE-89

Status published

Products (1)

webnus/modern_events_calendar_lite < 6.1.5

Published Dec 13, 2021

Tracked Since Feb 18, 2026