HQ/EMEAFind out how we can help your business
Hackers are attempting to exploit a Modern Events Calendar WordPress plugin flaw. According to reports, about 150,000 websites have installed this plugin, which is now susceptible to a recent exploit as it allows attackers to upload arbitrary files to a susceptible site and execute code remotely.
This plugin’s primary purpose is to organise and manage events that take place in person, virtually, or both. Hence, it has attracted thousands of website owners who need such services.
The newly discovered WordPress plugin bug has a high severity rate.
The WordPress plugin vulnerability used in the attacks has been identified as CVE-2024-5441 and has a high severity rate. Researchers explained that the security problem originates from a lack of file type validation in the plugin’s ‘set_featured_image’ function, which is used for uploading and configuring featured images for events.
The function accepts an image URL and a post ID, attempts to obtain the attachment ID, and downloads the picture using the get_web_page function if it is not discovered. In addition, it retrieves the image using wp_remote_get or file_get_contents, then saves it to the WordPress uploads directory via the file_put_contents function.
However, Modern Event Calendar versions up to 7.11.0 do not check the file type or extension of uploaded picture files, enabling submission of any file type, including the risky .PHP files.
Once uploaded, these files can be viewed and executed, allowing RCE on the server and potentially resulting in a complete website takeover. Any authenticated user, including subscribers and registered members, can exploit the new vulnerability.
If the plugin is configured to accept event submissions from visitors without accounts, CVE-2024-5441 can be exploited without authentication. On the other hand, the plugin developer patched the bug earlier this week with version 7.12.0 of Modern Event Calendar, which is the recommended upgrade to avoid the risk of a cyberattack.
Investigations revealed that hackers have already tried to use the flaw in attacks, blocking over 100 attempts in 24 hours. Therefore, sites that use Modern Events Calendar and Modern Events Calendar Lite (free version) should update to the most recent version as soon as possible or disable the plugin to avoid exploits from threat actors that could result in the compromise of company websites.
