The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Metrics
Affected Vendors & Products
References
History
Sat, 01 Mar 2025 02:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Webnus
Webnus modern Events Calendar Webnus modern Events Calendar Lite |
|
CPEs | cpe:2.3:a:webnus:modern_events_calendar:*:*:*:*:*:wordpress:*:* cpe:2.3:a:webnus:modern_events_calendar_lite:*:*:*:*:*:wordpress:*:* |
|
Vendors & Products |
Webnus
Webnus modern Events Calendar Webnus modern Events Calendar Lite |
Wed, 07 Aug 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 07 Aug 2024 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |
Title | Modern Events Calendar <= 7.12.1 - Authenticated (Subscriber+) Server Side Request Forgery | |
Weaknesses | CWE-918 | |
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2024-08-07T13:17:59.476Z
Reserved: 2024-07-04T21:05:30.723Z
Link: CVE-2024-6522

Updated: 2024-08-07T13:17:54.640Z

Status : Analyzed
Published: 2024-08-07T11:15:45.463
Modified: 2025-03-01T01:20:09.943
Link: CVE-2024-6522

No data.