CVE-2021-24145
Summary
| CVE | CVE-2021-24145 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-18 15:15:00 UTC |
| Updated | 2021-12-03 18:07:00 UTC |
| Description | Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Webnus | Modern Events Calendar Lite | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress Modern Events Calendar 5.16.2 Shell Upload ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Attention Required! | Cloudflare | CONFIRM | wpscan.com | |
| WordPress Modern Events Calendar Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
There are currently no legacy QID mappings associated with this CVE.