Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
Analysis
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
Technical ContextAI
SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries.
RemediationAI
A vendor patch is available — apply it immediately. Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.
More in Modern Events Calendar Lite
View allArbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly chec
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before usi
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validat
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not proper
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider par
The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and
The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule p
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users
Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.
The Modern Events Calendar Lite WordPress plugin before 6.5.2 does not sanitise and escape some of its settings, which c
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2021-34683