.. / CVE-2021-24145

Exploit for WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload (CVE-2021-24145)

Description:

WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution.

Nuclei Template

View the template here CVE-2021-24145.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2021/CVE-2021-24145.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-24145
https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
https://github.com/dnr6419/CVE-2021-24145
https://github.com/k0mi-tg/CVE-POC
https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.15.5.zip

.. / CVE-2021-24145 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for WordPress Modern Events Calendar Lite <5.16.5 - Authenticated Arbitrary File Upload (CVE-2021-24145)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2021-24145