CVE-2021-24145
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to upload arbitrary PHP files disguised as CSV files in the Modern Events Calendar Lite plugin. Attackers can achieve remote code execution by exploiting this file upload flaw. Only WordPress sites running vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Modern Events Calendar Lite WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, malware deployment, or complete site takeover via remote code execution.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or use the server for malicious activities.
If Mitigated
With proper file upload validation and server hardening, exploitation attempts would be blocked or detected.
🎯 Exploit Status
Multiple public exploit scripts and detailed write-ups exist. Exploitation requires administrator credentials but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.16.5 and later
Vendor Advisory: https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard
2. Navigate to Plugins → Installed Plugins
3. Find Modern Events Calendar Lite
4. Click 'Update Now' if available
5. If auto-update fails, download version 5.16.5+ from WordPress.org and manually update
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate modern-events-calendar-lite
Restrict File Uploads
allBlock PHP file uploads via web server configuration
# In Apache .htaccess:
<Files *.php>
deny from all
</Files>
# In Nginx config:
location ~ \.php$ {
deny all;
}
🧯 If You Can't Patch
- Remove administrator access from untrusted users
- Implement web application firewall rules to block file uploads with PHP content disguised as CSV
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin dashboard → Plugins → Modern Events Calendar Lite version numberCheck Version:
wp plugin get modern-events-calendar-lite --field=versionVerify Fix Applied:
Confirm plugin version is 5.16.5 or higher and test file upload functionality with PHP files📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=mec_import' and 'text/csv' content-type
- File uploads with .php extension to wp-content/uploads/mec/ folder
Network Indicators:
- Unusual outbound connections from web server following CSV import requests
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND params.action="mec_import" AND content_type="text/csv"🔗 References
- http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
- http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
- http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html
- http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html
- https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610
