CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2021-24146 – Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
https://notcve.org/view.php?id=CVE-2021-24146
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. Una falta de comprobaciones de autorización en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.5, no restringió apropiadamente el acceso a los archivos de exportación, permitiendo a usuarios no autenticados exportar todos los datos de eventos en formato CSV o XML, por ejemplo WordPress Modern Events Calendar plugin version 5.16.2 suffers from an issue where unauthenticated parties can export all event data. • https://www.exploit-db.com/exploits/50084 http://packetstormsecurity.com/files/163345/WordPress-Modern-Events-Calendar-5.16.2-Information-Disclosure.html https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-9459 – Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update
https://notcve.org/view.php?id=CVE-2020-9459
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings. Múltiples vulnerabilidades de tipo Cross-site scripting (XSS) Almacenado en el plugin Webnus Modern Events Calendar Lite versiones hasta 5.1.6 para WordPress, permite a usuarios autentificados remotos (con permisos mínimos) inyectar JavaScript, HTML o CSS arbitrario por medio de acciones de Ajax. Esto afecta a mec_save_notifications y import_settings. • https://wpvulndb.com/vulnerabilities/10100 https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •