WordPress administrators using the Modern Events Calendar plugin on their websites should rush to update their sites with the latest release of the plugin. That’s because hackers have started exploiting a serious vulnerability in the Calendar plugin to target WordPress sites.
Vulnerability risks for modern event calendar plugins 150,000 sites
WordPress security service Wordfence recently shared details about a serious security vulnerability in the Modern Events Calendar plugin.
As explained in their after, the Modern Events Calendar plugin had a vulnerability when uploading arbitrary files. The error was caused by a missing file type validation in the plugin set_featured_image function. An adversary could exploit this flaw to upload malicious image files or .php files to the target server to trigger remote code execution.
Although exploiting the flaw required the attacker to have authenticated access, unauthenticated attacks could also become possible on sites that allow unauthenticated event submissions. In the worst exploitation attempts, the vulnerability could even allow a complete takeover of the website via web shells or other techniques.
The vulnerability has received the CVE ID CVE-2024-5441, achieving a high severity rating and a CVSS score of 8.8. Wordfence shared the detailed technical analysis of the bug in its post.
Patch your sites as quickly as possible while hackers are actively exploiting the flaw
The vulnerability first caught the attention of security researcher Friderika Baranyai (aka Foxyyy), who subsequently reported the vulnerability via Wordfence’s bug bounty program. Following its report, Wordfence worked with the plugin developers to fix the bug that affected plugin version 7.11.0.
Ultimately, the developers, Webnus, fixed the bug with Modern Events Calendar 7.12.0. Additionally, the researcher won a $3,094 bounty for the bug report.
While the patch has been released, Wordfence has detected active exploit attempts for this vulnerability. Considering that the plugin has over 150,000 active installations, the flaw risks thousands of websites around the world. Therefore, users should ensure that their sites are updated with the latest plugin version to avoid potential threats.
Let us know your thoughts in the comments.
