Vulnerability Description
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Webnus | Modern Events Calendar Lite | < 6.1.5 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1ExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946ExploitThird Party Advisory
- https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445ExploitThird Party Advisory
- http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1ExploitThird Party AdvisoryVDB Entry
- https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946ExploitThird Party Advisory
- https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445ExploitThird Party Advisory
FAQ
What is CVE-2021-24946?
CVE-2021-24946 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to u...
How severe is CVE-2021-24946?
CVE-2021-24946 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-24946?
Check the references section above for vendor advisories and patch information. Affected products include: Webnus Modern Events Calendar Lite.