← back
CVE-2021-24946

Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection

EPSS 73.4%CWE-89
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue
Affected products
Unknown · Modern Events Calendar Lite
public PoCs found2
exploitdbwww.exploit-db.com/exploits/50687unverifiedcve_referencepacketstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445