{"api_version":"1","generated_at":"2026-04-21T08:58:13+00:00","cve":"CVE-2021-24145","urls":{"html":"https://cve.report/CVE-2021-24145","api":"https://cve.report/api/cve/CVE-2021-24145.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-24145","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-24145"},"summary":{"title":"CVE-2021-24145","description":"Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.","state":"PUBLIC","assigner":"contact@wpscan.com","published_at":"2021-03-18 15:15:00","updated_at":"2021-12-03 18:07:00"},"problem_types":["CWE-434"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html","name":"http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html","refsource":"MISC","tags":[],"title":"WordPress Modern Events Calendar 5.16.2 Shell Upload ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Attention Required! | Cloudflare","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"WordPress Modern Events Calendar Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-24145","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24145","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)","lang":""}],"nvd_cpes":[{"cve_year":"2021","cve_id":"24145","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webnus","cpe5":"modern_events_calendar_lite","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"contact@wpscan.com","ID":"CVE-2021-24145","STATE":"PUBLIC","TITLE":"Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Modern Events Calendar Lite","version":{"version_data":[{"version_affected":"<","version_name":"5.16.5","version_value":"5.16.5"}]}}]},"vendor_name":"Unknown"}]}},"credit":[{"lang":"eng","value":"Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request."}]},"generator":{"engine":"Vulnogram 0.0.9"},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-434 Unrestricted Upload of File with Dangerous Type"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610","name":"https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html","url":"http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-03-18 15:15:00","lastModifiedDate":"2021-12-03 18:07:00","problem_types":["CWE-434"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"5.16.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"24145","Ordinal":"198907","Title":"CVE-2021-24145","CVE":"CVE-2021-24145","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"24145","Ordinal":"1","NoteData":"Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"24145","Ordinal":"2","NoteData":"2021-03-18","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"24145","Ordinal":"3","NoteData":"2021-07-26","Type":"Other","Title":"Modified"}]}}}