A critical security flaw in the widely-used Modern Events Calendar WordPress plugin has become a target for cybercriminals. This vulnerability, affecting over 150,000 websites, allows attackers to upload malicious files and execute code remotely on compromised sites.
Webnus, the developer of this popular event management tool for in-person, virtual, and hybrid gatherings, is facing a significant security challenge. The vulnerability, officially designated as CVE-2024-5441, has been assigned a high-severity rating with a CVSS v3.1 score of 8.8.
This security issue was initially identified on May 20 by security researcher Friderika Baranyai during Wordfence’s Bug Bounty Extravaganza program. The discovery was reported through proper channels, highlighting the importance of responsible disclosure in the cybersecurity community.
Wordfence’s security report highlights a critical vulnerability in the Modern Events Calendar plugin. The flaw originates from inadequate file type validation within the plugin’s ‘set_featured_image’ function, which is responsible for uploading and assigning featured images to events.
This function processes an image URL and post ID, attempting to locate the attachment ID. If unsuccessful, it downloads the image using the get_web_page function. The image retrieval is performed via wp_remote_get or file_get_contents, and the file is then stored in the WordPress uploads directory using file_put_contents.
Significantly, Modern Event Calendar versions up to and including 7.11.0 lack proper file type or extension verification for uploaded image files. This oversight allows for the upload of any file type, including potentially harmful .PHP files, posing a serious security risk.
Once uploaded, malicious files can be accessed and executed, potentially leading to remote code execution on the server and possibly resulting in a complete website compromise.
CVE-2024-5441 can be exploited by any authenticated user, including subscribers and registered members. If the plugin settings allow event submissions from non-members (visitors without accounts), the vulnerability becomes exploitable without authentication.
Webnus addressed the security flaw yesterday by releasing Modern Event Calendar version 7.12.0, which is strongly recommended to mitigate the risk of cyberattacks.
However, Wordfence reports that cybercriminals are already attempting to exploit this vulnerability, with over 100 attack attempts blocked within a 24-hour period.
Given the ongoing exploitation efforts, users of both the Modern Events Calendar and its free counterpart, Modern Events Calendar Lite, are urged to update to the latest version immediately. If an immediate update is not possible, it’s advisable to disable the plugin until the update can be performed.
