CVE-2021-24946

CRITICAL EXPLOITED IN THE WILD NUCLEI

WordPress Modern Events Calendar SQLi Scanner

Title source: metasploit

Exploitation Summary

CVE-2021-24946 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including Ron Jost, h00die, Hacker5preme (Ron Jost), red0xff, including a Metasploit module auxiliary/scanner/http/wp_modern_events_calendar_sqli. A Nuclei detection template is also available.

AI-analyzed exploit summary This script automates SQL injection exploitation in WordPress Plugin Modern Events Calendar Lite by generating a sqlmap command targeting the 'time' parameter in the 'mec_load_single_page' AJAX action. It requires user input to specify the target and sqlmap retrieval options.

Description

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue

Exploits (2)

exploitdb SCANNER

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50687

View Code ZIP pw:eip

This script automates SQL injection exploitation in WordPress Plugin Modern Events Calendar Lite by generating a sqlmap command targeting the 'time' parameter in the 'mec_load_single_page' AJAX action. It requires user input to specify the target and sqlmap retrieval options.

Classification

Scanner 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Modern Events Calendar Lite <= 6.1

No auth needed

Prerequisites: sqlmap installed · target WordPress site with vulnerable plugin

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by h00die, Hacker5preme (Ron Jost), red0xff · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_modern_events_calendar_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated time-based SQL injection vulnerability in the WordPress Modern Events Calendar plugin (CVE-2021-24946). It enumerates user credentials from the wp_users table by injecting malicious payloads into the 'time' parameter.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Modern Events Calendar Lite < 6.1.5

No auth needed

Prerequisites: Target running vulnerable version of Modern Events Calendar plugin · Network access to the WordPress admin-ajax.php endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection

CRITICALVERIFIEDby theamanrawat

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html

Exploit, Third Party Advisory x_refsource_misc

https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.7341

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-11-15

InTheWild.io 2022-05-31

CWE

CWE-89

Status published

Products (1)

webnus/modern_events_calendar_lite < 6.1.5

Published Dec 13, 2021

Tracked Since Feb 18, 2026