CVE-2021-24149

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar Lite WordPress plugin versions prior to 5.16.6

Description: The issue concerns unvalidated input in the Modern Events Calendar Lite WordPress plugin, which did not sanitize the mec[post id] POST parameter in the "mec fes form" AJAX action. This leads to an authenticated SQL Injection issue when logged in as an author or higher.

Recommendations: For versions prior to 5.16.6, update to version 5.16.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "mec fes form" AJAX action for users with author or higher privileges until the update is applied. Avoid using the mec[post id] parameter in the affected AJAX endpoint until the issue is resolved.