Search criteria
3 vulnerabilities found for event_banner by wp-eventmanager
FKIE_CVE-2021-24252
Vulnerability from fkie_nvd - Published: 2021-05-06 13:15 - Updated: 2024-11-21 05:52
Severity ?
Summary
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wp-eventmanager | event_banner | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wp-eventmanager:event_banner:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E4FC3FEA-DDF9-4E75-A976-377415AE54B4",
"versionEndIncluding": "1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)"
},
{
"lang": "es",
"value": "El plugin Event Banner WordPress versiones hasta 1.3, no verifica el archivo de imagen cargado, permitiendo que las cuentas de administrador cargar archivos arbitrarios, como .exe, .php u otros ejecutables, conllevando a RCE.\u0026#xa0;Debido a una falta de comprobaci\u00f3n CSRF, el problema tambi\u00e9n puede ser utilizado por medio de dicho vector para lograr el mismo resultado, o por medio de un LFI, ya que faltan las comprobaciones de autorizaci\u00f3n (pero requerir\u00eda WP que sea cargado)"
}
],
"id": "CVE-2021-24252",
"lastModified": "2024-11-21T05:52:41.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-06T13:15:11.757",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
},
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-24252 (GCVE-0-2021-24252)
Vulnerability from cvelistv5 – Published: 2021-05-05 18:39 – Updated: 2024-08-03 19:28
VLAI?
Title
Event Banner <= 1.3 - Arbitrary File Upload to RCE
Summary
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Banner |
Affected:
1.3 , ≤ 1.3
(custom)
|
Credits
Jin Huang
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Event Banner",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "1.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jin Huang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:39:43",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Event Banner \u003c= 1.3 - Arbitrary File Upload to RCE",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24252",
"STATE": "PUBLIC",
"TITLE": "Event Banner \u003c= 1.3 - Arbitrary File Upload to RCE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Event Banner",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3",
"version_value": "1.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jin Huang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"name": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md",
"refsource": "MISC",
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24252",
"datePublished": "2021-05-05T18:39:43",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:22.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24252 (GCVE-0-2021-24252)
Vulnerability from nvd – Published: 2021-05-05 18:39 – Updated: 2024-08-03 19:28
VLAI?
Title
Event Banner <= 1.3 - Arbitrary File Upload to RCE
Summary
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Event Banner |
Affected:
1.3 , ≤ 1.3
(custom)
|
Credits
Jin Huang
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:22.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Event Banner",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "1.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jin Huang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:39:43",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Event Banner \u003c= 1.3 - Arbitrary File Upload to RCE",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24252",
"STATE": "PUBLIC",
"TITLE": "Event Banner \u003c= 1.3 - Arbitrary File Upload to RCE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Event Banner",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.3",
"version_value": "1.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jin Huang"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/91e81c6d-f24d-4f87-bc13-746715af8f7c"
},
{
"name": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md",
"refsource": "MISC",
"url": "https://github.com/jinhuang1102/CVE-ID-Reports/blob/master/Event%20Banner.md"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24252",
"datePublished": "2021-05-05T18:39:43",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:22.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}