Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
Description
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Modern Events Calendar Lite plugin before 6.1.5 has an unauthenticated SQL injection via the time parameter in the mec_load_single_page AJAX action.
Vulnerability
The Modern Events Calendar Lite WordPress plugin before version 6.1.5 fails to sanitize and escape the time parameter before using it in a SQL statement within the mec_load_single_page AJAX action. This action is available to unauthenticated users, making the vulnerability exploitable without any prior privileges [2][1].
Exploitation
An unauthenticated attacker can send a crafted AJAX request to the vulnerable endpoint with a malicious time parameter containing SQL injection payloads. The attacker does not need authentication or special network position beyond normal web access. Proof-of-concept exploit code is publicly available [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL queries against the WordPress database, potentially leading to extraction of sensitive data such as user credentials, post content, and other stored information. This can result in complete information disclosure and possible further compromise of the site [2].
Mitigation
The vulnerability is fixed in version 6.1.5 of the plugin, released on 2021-11-15. Users should update immediately to this version or later. The plugin is listed on WordPress.org and no workaround other than updating is available [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Modern Events Calendar Litedescription
- Range: <6.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.htmlmitrex_refsource_MISC
- github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24946mitrex_refsource_MISC
- wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.