VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 18, 2021· Updated Aug 3, 2024

Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE

CVE-2021-24145

Description

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Arbitrary file upload in Modern Events Calendar Lite < 5.16.5 allows administrators to upload PHP files via 'text/csv' content-type, leading to RCE.

Vulnerability

The Modern Events Calendar Lite WordPress plugin versions before 5.16.5 contains an arbitrary file upload vulnerability. The plugin fails to properly check the imported file, allowing PHP files to be uploaded by an administrator by using the 'text/csv' content-type in the request [1].

Exploitation

An attacker with administrator privileges can upload a PHP file by crafting a request with the content-type set to 'text/csv'. The vulnerability could also be exploited via a CSRF attack, as such check is missing [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to remote code execution (RCE) and full compromise of the WordPress site.

Mitigation

The vulnerability is fixed in version 5.16.5 of the plugin. Users should update to the latest version immediately [1].

References
  1. Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.