CVE-2021-24716 – Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-24716
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.3, no sanea o escapa adecuadamente de los valores establecidos por los usuarios con acceso para ajustar la configuración con wp-admin • https://wpscan.com/vulnerability/576cc93d-1499-452b-97dd-80f69002e2a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24687 – Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24687
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Modern Events Calendar Lite de WordPress versiones anteriores a 5.22.2, no escapa a algunas de sus configuraciones antes de mostrarlas en atributos, que permite a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/300ba418-63ed-4c03-9031-263742ed522e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24147 – Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24147
Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Una entrada no comprobada y una falta de codificación de salida en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no sanean el campo mic_comment (Notas a tiempo) cuando agrega y edita un evento, permitiendo a usuarios con privilegios tan bajos como el autor para agregar eventos con una carga útil de tipo Cross-Site Scripting en ellos, que será activada en el frontend cuando se visualiza el evento • https://wpscan.com/vulnerability/0f9ba284-5d7e-4092-8344-c68316b0146f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24149 – Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24149
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. Una entrada no comprobada en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.6, no saneaba el parámetro mec[post_id] POST en la acción mec_fes_form AJAX cuando se iniciaba sesión como autor+, conllevando a un problema de inyección SQL autenticado • https://wpscan.com/vulnerability/26819680-22a8-4348-b63d-dc52c0d50ed0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-24145 – Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
https://notcve.org/view.php?id=CVE-2021-24145
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. Una carga arbitraria de archivos en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no comprobaba apropiadamente el archivo importado, permitiendo que los PHP sean cargados por el administrador al usar el tipo de contenido "text/csv" en la petición WordPress Modern Events Calendar plugin version 5.16.2 suffers from a remote shell upload vulnerability. • https://www.exploit-db.com/exploits/50082 https://github.com/dnr6419/CVE-2021-24145 http://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html http://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610 - • CWE-434: Unrestricted Upload of File with Dangerous Type •