CVE-2024-6522

HIGH

Modern Events Calendar <7.12.1 - SSRF

Title source: llm

Description

The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

References (4)

Core 4

Core References

Release Notes

https://mec.webnus.net/change-log/

Product

https://plugins.trac.wordpress.org/browser/modern-events-calendar-lite/trunk/app/features/fes.php#L54

Product

https://wordpress.org/plugins/modern-events-calendar-lite/#developers

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/00bf8f2f-6ab4-4430-800b-5b97abe7589e?source=cve

Scores

CVSS v3 8.5

EPSS 0.0040

EPSS Percentile 32.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (4)

Webnus/Modern Events Calendar < 7.12.1

webnus/modern_events_calendar < 7.13.0

webnus/modern_events_calendar_lite < 7.13.0

webnus//Modern Events Calendar Lite < 7.12.1

Published Aug 07, 2024

Tracked Since Feb 18, 2026