CVE-2021-24946: 
WordPress vulnerability analysis and mitigation

CVE-2021-24946 affects the Modern Events Calendar Lite WordPress plugin versions before 6.1.5. The vulnerability is an unauthenticated SQL injection that exists in the mecloadsingle_page AJAX action due to improper sanitization and escaping of the time parameter before its use in SQL statements (WPScan, NVD).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue specifically occurs in the mecloadsingle_page AJAX action where the time parameter is not properly sanitized before being used in SQL queries. This functionality is accessible to unauthenticated users, making it particularly dangerous (NVD, WPScan).

Due to the unauthenticated nature of the vulnerability and its ability to manipulate SQL queries, successful exploitation could lead to unauthorized access to sensitive database information, potential data modification, and possible system compromise. The critical CVSS score of 9.8 indicates the severe potential impact of this vulnerability (NVD).

The vulnerability has been patched in version 6.1.5 of the Modern Events Calendar Lite plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).