Hackers are actively exploiting a critical vulnerability in the Modern Events Calendar WordPress plugin, which is installed on over 150,000 websites. This flaw allows attackers to upload arbitrary files and execute code remotely, posing a significant security risk.
Plugin Details and Vulnerability
The Modern Events Calendar plugin, developed by Webnus, is widely used to organise and manage in-person, virtual, and hybrid events. The identified vulnerability, CVE-2024-5441, has been given a high-severity score (CVSS v3.1: 8.8). It was discovered and responsibly reported by Friderika Baranyai on May 20 during Wordfence's Bug Bounty Extravaganza.
Technical Breakdown
The security issue arises from insufficient file type validation in the plugin’s set_featured_image function, which handles the uploading and setting of featured images for events. This function processes an image URL and post ID, retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory with file_put_contents. Versions up to and including 7.11.0 of the plugin lack checks for the file type of uploaded images, permitting any file type, including potentially dangerous .PHP files, to be uploaded.
Once uploaded, these files can be accessed and executed, enabling remote code execution on the server. This vulnerability can be exploited by any authenticated user, including subscribers and registered members. If the plugin allows event submissions from non-members, the flaw can be exploited without any authentication.
Immediate Actions Required
Webnus has addressed the vulnerability by releasing version 7.12.0 of the Modern Events Calendar plugin. Users are strongly advised to upgrade to this latest version immediately to mitigate the risk of cyber-attacks. Wordfence has already blocked over 100 exploitation attempts within 24 hours of the vulnerability's disclosure, indicating active and ongoing exploitation efforts.
For those unable to update immediately, it is recommended to disable the plugin until the update can be performed.
To Sum Up
Given the severe implications of this vulnerability, prompt action is crucial. Upgrading to the latest version of the Modern Events Calendar plugin or disabling it until the update is possible will help protect your website from potential takeover and other security risks.
Stay vigilant and ensure your WordPress installations are up to date to defend against these and other threats.
