WordPress admins running the Modern Events Calendar plugin on their websites must rush to update their sites with the latest plugin release. That’s because hackers have started exploiting a serious vulnerability in the Calendar plugin to target WordPress sites.
Modern Events Calendar Plugin Vulnerability Risks 150K Sites
The WordPress security service Wordfence recently shared details about a serious security vulnerability in the Modern Events Calendar plugin.
As explained in their post, the Modern Events Calendar plugin had an arbitrary file upload vulnerability. The flaw appeared due to missing file type validation in the plugin’s set_featured_image
function. An adversary could exploit this flaw to upload malicious image files or .php files on the target server to trigger remote code execution.
While exploiting the flaw required the attacker to have authenticated access, unauthenticated attacks could also become possible on sites allowing unauthenticated event submissions. In the worst exploitation attempts, the vulnerability could even allow a complete website takeover via webshells or other techniques.
The vulnerability received the CVE ID CVE-2024-5441, achieving a high severity rating and a CVSS score of 8.8. Wordfence has shared the detailed technical analysis of the flaw in its post.
Patch Your Sites ASAP as Hackers Actively Exploit The Flaw
The vulnerability first caught the attention of security researcher Friderika Baranyai (alias Foxyyy), who then reported it via Wordfence’s bug bounty program. Following his report, Wordfence coordinated with the plugin developers to patch the flaw that impacted plugin release 7.11.0.
Eventually, the developers, Webnus, patched the flaw with the Modern Events Calendar 7.12.0. Besides, the researcher won a $3,094 bounty for the bug report.
While the patch has been released, Wordfence detected active exploitation attempts for this vulnerability. Given that the plugin boasts over 150,000 active installations, the flaw risks thousands of websites globally. Therefore, users must ensure updating their sites with the latest plugin release to avoid potential threats.
Let us know your thoughts in the comments.