CVE-2021-24946 – This is an unauthenticated SQL injection vulner... (How to Fix)

Q: What is the severity of CVE-2021-24946?

CVE-2021-24946 has a CVSS score of 9.8 (CRITICAL). This is an unauthenticated SQL injection vulnerability in the Modern Events Calendar Lite WordPress plugin. Attackers can exploit it by sending specially crafted requests to the mec_load_single_page AJAX endpoint without needing login credentials. Any WordPress site running the vulnerable plugin version is affected.

📋 TL;DR

This is an unauthenticated SQL injection vulnerability in the Modern Events Calendar Lite WordPress plugin. Attackers can exploit it by sending specially crafted requests to the mec_load_single_page AJAX endpoint without needing login credentials. Any WordPress site running the vulnerable plugin version is affected.

💻 Affected Systems

Products:

Modern Events Calendar Lite WordPress Plugin

Versions: All versions before 6.1.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration; no special settings required for exploitation.

📦 What is this software?

Modern Events Calendar Lite by Webnus

View all CVEs affecting Modern Events Calendar Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to administrator; possible remote code execution via database functions.

🟠

Likely Case

Data exfiltration from WordPress database including user credentials, sensitive content, and configuration data; potential site defacement or disruption.

🟢

If Mitigated

Limited impact with proper WAF rules, database permissions restrictions, and network segmentation preventing data exfiltration.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation via public web interface with CVSS 9.8 score.

🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access; reduced external attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available; exploitation requires simple HTTP requests to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.5 and later

Vendor Advisory: https://wordpress.org/plugins/modern-events-calendar-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Modern Events Calendar Lite. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.1.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

linux

Block access to the mec_load_single_page AJAX action via .htaccess or web server configuration

# Apache .htaccess:
RewriteCond %{QUERY_STRING} action=mec_load_single_page [NC]
RewriteRule .* - [F,L]

WAF rule blocking

all

Implement web application firewall rules to block SQL injection patterns targeting the time parameter

# ModSecurity example:
SecRule ARGS:time "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt in MEC plugin'"

🧯 If You Can't Patch

Deactivate Modern Events Calendar Lite plugin immediately
Implement network segmentation to isolate WordPress instance and restrict database access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Modern Events Calendar Lite → Version number. If version is below 6.1.5, you are vulnerable.

Check Version:

wp plugin list --name="Modern Events Calendar Lite" --field=version

Verify Fix Applied:

Confirm plugin version is 6.1.5 or higher in WordPress admin panel; test AJAX endpoint with safe payload to ensure proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=mec_load_single_page containing unusual time parameter values
Database error logs showing SQL syntax errors from WordPress queries
Unusual database query patterns from web server IP

Network Indicators:

HTTP requests with SQL injection payloads in time parameter
Multiple rapid requests to admin-ajax.php endpoint
Outbound database connections from web server to unexpected destinations

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=mec_load_single_page*" AND (query="*time=*UNION*" OR query="*time=*SELECT*" OR query="*time=*OR*" OR query="*time=*AND*")

📊 Metadata

CVE ID: CVE-2021-24946

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24946, you might also want to check these: