CVE-2021-24149 – Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24149
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. Una entrada no comprobada en el plugin de WordPress Modern Events Calendar Lite, versiones anteriores a 5.16.6, no saneaba el parámetro mec[post_id] POST en la acción mec_fes_form AJAX cuando se iniciaba sesión como autor+, conllevando a un problema de inyección SQL autenticado • https://wpscan.com/vulnerability/26819680-22a8-4348-b63d-dc52c0d50ed0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-9459 – Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update
https://notcve.org/view.php?id=CVE-2020-9459
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications and import_settings. Múltiples vulnerabilidades de tipo Cross-site scripting (XSS) Almacenado en el plugin Webnus Modern Events Calendar Lite versiones hasta 5.1.6 para WordPress, permite a usuarios autentificados remotos (con permisos mínimos) inyectar JavaScript, HTML o CSS arbitrario por medio de acciones de Ajax. Esto afecta a mec_save_notifications y import_settings. • https://wpvulndb.com/vulnerabilities/10100 https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •