Vulnerability CVE-2021-24145


Published: 2021-03-18

Description:
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

See advisories in our WLB2 database:
Topic
Author
Date
High
WordPress Modern Events Calendar 5.16.2 Shell Upload
Ron Jost
02.07.2021

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Webnus -> Modern events calendar lite 

 References:
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610

Copyright 2024, cxsecurity.com

 

Back to Top