CVE-2021-24145: 
WordPress vulnerability analysis and mitigation

CVE-2021-24145 is a vulnerability discovered in the WordPress plugin Modern Events Calendar Lite versions prior to 5.16.5. The vulnerability was publicly disclosed on January 29, 2021, and affects the calendar import functionality of the plugin. The issue allows authenticated users with administrative privileges to upload arbitrary PHP files by manipulating the content-type in the request (WPScan).

The vulnerability stems from improper file validation in the import functionality of the Modern Events Calendar Lite plugin. Specifically, the plugin failed to properly validate uploaded files, allowing PHP files to be uploaded by administrators by setting the content-type to 'text/csv' in the request. Additionally, the vulnerability could be exploited through a CSRF attack due to missing security checks (WPScan).

When successfully exploited, this vulnerability allows authenticated administrators to upload malicious PHP files to the server, which can lead to remote code execution (RCE) with the privileges of the web server user. The uploaded files are stored in the '/wp-content/uploads/' directory of the WordPress installation (WPScan).

The vulnerability has been patched in version 5.16.5 of the Modern Events Calendar Lite plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).