Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-24145

CVE-2021-24145: Modern Events Calendar Lite File Upload

CVE-2021-24145 is an arbitrary file upload flaw in Modern Events Calendar Lite WordPress plugin that allows administrators to upload malicious PHP files. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2021-24145 Overview

CVE-2021-24145 is an arbitrary file upload vulnerability in the Webnus Modern Events Calendar Lite WordPress plugin in versions prior to 5.16.5. The plugin's import functionality fails to validate the contents of uploaded files, relying only on the declared Content-Type header. An authenticated administrator can upload a PHP file by setting the request Content-Type to text/csv, achieving remote code execution on the underlying server. The flaw is classified as [CWE-434] (Unrestricted Upload of File with Dangerous Type). Public exploits are available through Exploit-DB and Packet Storm, and the EPSS score of 91.3% places this issue in the top percentile of likely-exploited vulnerabilities.

Critical Impact

An authenticated administrator can upload a PHP webshell through the events import feature, leading to remote code execution and full WordPress site compromise.

Affected Products

  • Webnus Modern Events Calendar Lite for WordPress, all versions prior to 5.16.5
  • WordPress installations using the vulnerable plugin with administrator-level accounts exposed
  • Web hosting environments where the WordPress wp-content/uploads directory permits PHP execution

Discovery Timeline

  • 2021-03-18 - CVE-2021-24145 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-24145

Vulnerability Analysis

The Modern Events Calendar Lite plugin exposes an import feature that allows administrators to bring in events from CSV files. The server-side handler validates the file by inspecting the HTTP Content-Type header rather than the file extension or actual content. When the handler sees text/csv, it accepts the upload and writes it to a web-accessible directory while preserving the original filename and extension. An attacker who submits a file named with a .php extension and a forged text/csv content type bypasses validation entirely. The resulting PHP file is reachable through a direct URL and executed by the web server.

Root Cause

The root cause is improper input validation on file uploads. The plugin trusts the client-supplied Content-Type header instead of verifying file magic bytes, sanitizing the extension, or restricting the destination directory to non-executable storage. This pattern maps directly to [CWE-434].

Attack Vector

Exploitation requires an authenticated session with administrator privileges. The attacker sends a multipart POST request to the plugin's import endpoint with a PHP payload as the file body and Content-Type: text/csv in the file part. After upload, the attacker requests the uploaded .php file directly from the WordPress uploads directory to trigger code execution. Public proof-of-concept code is documented in the Packet Storm Shell Upload Exploit and the Packet Storm RCE Exploit.

Detection Methods for CVE-2021-24145

Indicators of Compromise

  • PHP files present in plugin upload directories such as wp-content/uploads/ or plugin-specific import folders
  • HTTP POST requests to Modern Events Calendar import endpoints containing .php filenames with Content-Type: text/csv
  • Unexpected outbound network connections originating from the web server process after a successful import
  • New or modified administrator accounts followed by import activity in the WordPress admin logs

Detection Strategies

  • Inspect web server access logs for GET requests to .php files inside wp-content/uploads/ that return HTTP 200
  • Hunt for multipart upload requests where the filename ends in .php but the part Content-Type is text/csv
  • Compare the WordPress plugin inventory against the patched version 5.16.5 or later

Monitoring Recommendations

  • Enable file integrity monitoring across the entire WordPress document root and alert on new PHP files in uploads directories
  • Forward web server and PHP-FPM logs to a centralized log platform for correlation with administrative actions
  • Track WordPress audit logs for plugin import activity and unexpected administrator logins

How to Mitigate CVE-2021-24145

Immediate Actions Required

  • Upgrade Modern Events Calendar Lite to version 5.16.5 or later on every WordPress site
  • Audit wp-content/uploads/ and remove any unauthorized .php files
  • Rotate WordPress administrator credentials and review the user list for accounts created during the exposure window
  • Review the WPScan Vulnerability Report for additional remediation context

Patch Information

Webnus addressed the issue in Modern Events Calendar Lite version 5.16.5 by adding proper file content validation during import. Administrators should update through the WordPress plugin dashboard or by replacing the plugin files with the patched release.

Workarounds

  • Restrict access to the WordPress admin interface using IP allowlists or a web application firewall rule set
  • Configure the web server to deny PHP execution within wp-content/uploads/ using an .htaccess rule or equivalent Nginx location directive
  • Temporarily disable the Modern Events Calendar Lite plugin until the patch is applied
bash
# Apache: block PHP execution in the WordPress uploads directory
# Place this file at wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|php5|php7|phar)$">
    Require all denied
</FilesMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne