CVE-2021-24145

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
webnusmodern_events_calendar_lite
𝑥
< 5.16.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610