CVE-2021-24146

high-risk
Published 2021-03-18

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.

Do I need to act?

!
75.4% chance of exploitation in next 30 days
EPSS score — higher than 25% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
50084
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Webnus

References (4)

Exploit http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.1...
Exploit https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
Exploit http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.1...
Exploit https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc
51
/ 100
high-risk
Severity 26/34 · High
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal