CVE-2021-24145 Overview
CVE-2021-24145 is an arbitrary file upload vulnerability affecting the Modern Events Calendar Lite WordPress plugin developed by Webnus. Versions prior to 5.16.5 contain a flaw in the file import functionality that fails to properly validate uploaded files. This allows authenticated administrators to upload PHP files by manipulating the Content-Type header to text/csv in the request, effectively bypassing the intended file type restrictions.
Critical Impact
This vulnerability enables remote code execution on affected WordPress installations, allowing attackers with administrator access to upload malicious PHP web shells and gain persistent server access.
Affected Products
- Webnus Modern Events Calendar Lite versions prior to 5.16.5
- WordPress installations using the vulnerable plugin versions
Discovery Timeline
- 2021-03-18 - CVE-2021-24145 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24145
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The root issue lies in how the plugin's import functionality processes uploaded files. The application relies on the Content-Type header sent by the client to determine file type validity rather than performing server-side inspection of the actual file contents. This client-side trust model creates a significant security gap that can be exploited by attackers with administrative privileges.
When an administrator uploads a file through the import feature, the server accepts the Content-Type header at face value. By setting this header to text/csv, an attacker can upload a PHP file that the server will then save to a web-accessible location, enabling arbitrary code execution.
Root Cause
The vulnerability stems from improper input validation in the file upload handler. The plugin fails to implement proper file type verification mechanisms such as:
- Server-side MIME type detection using file signatures (magic bytes)
- File extension whitelisting with strict validation
- Content inspection to verify file structure matches expected format
Instead, the plugin trusts the user-supplied Content-Type header, which can be trivially manipulated using tools like Burp Suite, curl, or browser developer tools.
Attack Vector
The attack requires network access and high privileges (administrator role). An attacker who has obtained administrator credentials—through credential theft, brute force, or social engineering—can exploit this vulnerability through the following process:
- Authenticate to WordPress with administrator credentials
- Navigate to the Modern Events Calendar import functionality
- Prepare a malicious PHP web shell file
- Intercept the upload request and modify the Content-Type header to text/csv
- Submit the request with the PHP payload
- Access the uploaded PHP file to execute arbitrary commands on the server
The attack does not require user interaction once the attacker has administrator access, and the scope is unchanged from the vulnerable component.
Detection Methods for CVE-2021-24145
Indicators of Compromise
- Unexpected PHP files in WordPress upload directories, particularly within plugin folders
- Web server logs showing requests to unusual PHP files in the uploads or plugin directories
- Modified Content-Type headers in HTTP requests to the Modern Events Calendar import endpoint
- Suspicious outbound network connections originating from the web server process
Detection Strategies
- Monitor file system changes in WordPress directories, especially for new PHP files outside of expected update patterns
- Implement Web Application Firewall (WAF) rules to detect Content-Type header manipulation attempts
- Review web server access logs for POST requests to the plugin's import functionality followed by GET requests to newly created PHP files
- Deploy file integrity monitoring on WordPress installations to detect unauthorized file additions
Monitoring Recommendations
- Configure alerts for new PHP file creation in WordPress upload and plugin directories
- Monitor for web shells and backdoor patterns using signature-based detection tools
- Implement logging for all administrative actions within WordPress, particularly file uploads
- Use SentinelOne's Singularity Platform to detect post-exploitation behaviors such as command execution from web server processes
How to Mitigate CVE-2021-24145
Immediate Actions Required
- Update Modern Events Calendar Lite to version 5.16.5 or later immediately
- Audit WordPress upload directories for any suspicious PHP files that may have been uploaded
- Review administrator account access and ensure strong, unique credentials are in use
- Enable multi-factor authentication for all WordPress administrator accounts
- Consider temporarily disabling the import functionality until patching is complete
Patch Information
Webnus has addressed this vulnerability in Modern Events Calendar Lite version 5.16.5. The patch implements proper server-side file validation that no longer relies solely on the client-supplied Content-Type header. For detailed vulnerability information, see the WPScan Vulnerability Report.
Additional technical details and exploit information are available via Packet Storm Shell Upload Exploit and Packet Storm RCE Vulnerability.
Workarounds
- Restrict administrative access to trusted IP addresses using .htaccess or web server configuration
- Implement a Web Application Firewall (WAF) with rules to block suspicious file upload attempts
- Disable the import functionality in the plugin settings if not required for operations
- Regularly audit user accounts with administrative privileges and remove unnecessary access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
