Lucene search

[email protected]NVD:CVE-2024-6522

HistoryAug 07, 2024 - 11:15 a.m.

CVE-2024-6522

2024-08-0711:15:45

CWE-918

[email protected]

web.nvd.nist.gov

wordpress

ssrf

ajax

vulnerability

modern events calendar

server-side request forgery

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

0.001

Percentile

30.6%

JSON

The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the ‘mec_fes_form’ AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

References

mec.webnus.net/change-log/

plugins.trac.wordpress.org/browser/modern-events-calendar-lite/trunk/app/features/fes.php#L54

wordpress.org/plugins/modern-events-calendar-lite/#developers

www.wordfence.com/threat-intel/vulnerabilities/id/00bf8f2f-6ab4-4430-800b-5b97abe7589e?source=cve

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

0.001

Percentile

30.6%

JSON

Related for NVD:CVE-2024-6522

cvelist1 cve1 vulnrichment1 wordfence1