### [CVE-2021-24149](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24149)
![](https://img.shields.io/static/v1?label=Product&message=Modern%20Events%20Calendar%20Lite&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=5.16.6%3C%205.16.6%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%20SQL%20Injection&color=brighgreen)

### Description

Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.

### POC

#### Reference
- https://wpscan.com/vulnerability/26819680-22a8-4348-b63d-dc52c0d50ed0

#### Github
No PoCs found on GitHub currently.