CVE-2021-24145

Опубликовано: 18 мар. 2021

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Критический

Описание

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

Ссылки

http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:*

Версия до 5.16.5 (исключая)

EPSS

Процентиль: 100%

0.92343

Критический

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-5vmg-gchf-rcpm

github

больше 3 лет назад