CVE-2021-24145

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar Lite versions prior to 5.16.5

Description: The issue allows for arbitrary file upload due to improper checking of imported files. An administrator can upload PHP files by using the 'text/csv' content-type in the request. This can lead to remote code execution. The uploaded file is typically stored in the default /uploads/ directory. There have been real-world incidents where this issue was exploited, including a capture-the-flag challenge where the vulnerability was used for remote code execution.

Recommendations: For versions prior to 5.16.5, update to version 5.16.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload functionality to minimize the risk of exploitation. Additionally, restrict access to the /uploads/ directory to prevent execution of uploaded PHP files.