Modern Events Calendar Lite Wordpress Plugin - Unauthenticated Events Export (CVE-2021-24146)

Name: Modern Events Calendar Lite Wordpress Plugin - Unauthenticated Events Export (CVE-2021-24146)
Published: 2021-09-15T00:00:00.000Z

Severity
CVE: CVE-2021-24146
CVSSv3 Score: 7.5
Exploitable with Sniper: No
Vulnerability description: Modern Events Calendar Lite Wordpress plugin server is affected by an Unauthenticated Events Export vulnerability, located in the wp-admin endpoint, that an unauthenticated attacker can use to to export all events data in CSV or XML format. The root cause of this vulnerability is that the plugin did not properly restrict access to the export files and was missing authorization checks.
Risk description: The risk exists that a remote unauthenticated attacker can read all events present on the server.
Recommendation: Update the Wordpress plugin to a version higher than 5.6.5.
References: https://nvd.nist.gov/vuln/detail/CVE-2021-24146
Detectable with: Network Scanner
Vuln date: Mar 2021
Published at: Sep 2021
Updated at: Sep 2021
Software Type: Wordpress plugin
Vendor: Webnus
Product: Modern Events Calendar Lite Server
Codename: Not available