CVE-2021-24145— Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-24145
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
危险类型文件的不加限制上传
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wordpress Modern Events Calendar Lite 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wordpress Modern Events Calendar Lite是 (Wordpress)开源的一个应用插件。该插件用于管理事件网站的最佳工具。 WordPress Modern Events Calendar Lite plugin before 5.16.5 存在代码问题漏洞,该漏洞源于任意上传文件都没有正确检查导入的文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Unknown | Modern Events Calendar Lite | 5.16.5 ~ 5.16.5 | - |
II. Public POCs for CVE-2021-24145
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | WordPress File Upload Vulnerability, Modern Events Calendar Lite WordPress plugin before 5.16.5 | https://github.com/dnr6419/CVE-2021-24145 | POC Details |
| 2 | WordPress Modern Events Calendar Lite plugin before 5.16.5 is susceptible to authenticated arbitrary file upload. The plugin does not properly check the imported file, allowing PHP files to be uploaded and/or executed by an administrator or other high-privilege user using the text/csv content-type in the request. This can possibly lead to remote code execution. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-24145.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-24145
请登录查看更多情报信息。
Same Patch Batch · Unknown · 2021-03-18 · 27 CVEs total
| CVE-2021-24136 | Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS | |
| CVE-2021-24149 | Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection | |
| CVE-2021-24148 | MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple | |
| CVE-2021-24147 | Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24146 | Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export | |
| CVE-2021-24144 | Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection | |
| CVE-2021-24143 | AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection | |
| CVE-2021-24142 | 301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection | |
| CVE-2021-24141 | Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection | |
| CVE-2021-24140 | Ajax Load More < 5.3.2 - Authenticated SQL Injection | |
| CVE-2021-24139 | Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection | |
| CVE-2021-24138 | AdRotate < 5.8.4 - Authenticated SQL Injection | |
| CVE-2021-24137 | Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection | |
| CVE-2021-24123 | PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE | |
| CVE-2021-24135 | WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored X | |
| CVE-2021-24134 | Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS | |
| CVE-2021-24133 | ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings | |
| CVE-2021-24132 | Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection | |
| CVE-2021-24131 | Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections | |
| CVE-2021-24130 | WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection |
Showing top 20 of 27 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Modern Events Calendar Lite
- CVE-2021-4458
Modern Events Calendar Lite <= 6.3.0 - Unauthenticated SQL I - CVE-2025-5733
Modern Events Calendar <= 7.21.9 - Information Exposure - CVE-2023-4021
Modern Events Calendar lite < 7.1.0 - Authenticated (Admin+) - CVE-2023-1400
Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS - CVE-2022-30533
Modern Events Calendar Lite 跨站脚本漏洞
Same vendor: Unknown
- CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection t - CVE-2026-4935
SureTriggers < 1.1.23 – Unauthenticated SQLi - CVE-2026-5335
Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosu - CVE-2026-5337
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary - CVE-2026-5306
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
Same weakness: CWE-434
- CVE-2021-47943
TextPattern CMS 4.8.7 Remote Code Execution via File Upload - CVE-2021-47937
e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme - CVE-2026-41517
Emlog: Remote Code Execution via Malicious Plugin Upload - CVE-2026-6692
Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber - CVE-2026-41587
CI4MS: Unrestricted PHP File Upload via Theme Installation L
V. Comments for CVE-2021-24145
No comments yet