← volver
CVE-2021-24145

Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE

EPSS 88.2%CWE-434
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Productos afectados
Unknown · Modern Events Calendar Lite
PoCs públicas encontradas4
githubgithub.com/dnr6419/CVE-2021-241453cve_referencepacketstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.htmlno verificadocve_referencepacketstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.htmlno verificadoexploitdbwww.exploit-db.com/exploits/50082no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.htmlhttp://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.htmlhttps://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610