The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the ‘text/csv’ content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing.
https://drive.google.com/file/d/1qQfqnQOObBOmCFTTw1uGYmwxWe6uljhb/view?usp=sharing Uploaded file will be at /wp-content/uploads/aa.php
CPE | Name | Operator | Version |
---|---|---|---|
modern-events-calendar-lite | lt | 5.16.5 |