Attention all WordPress admins using the Modern Events Calendar plugin – urgent action is required to secure your websites. Hackers have identified a critical vulnerability in the Calendar plugin and are actively exploiting it to target WordPress sites.
High-Risk Vulnerability in Modern Events Calendar Plugin Affects 150K Sites
Wordfence, a leading WordPress security service, has recently disclosed a significant security flaw in the Modern Events Calendar plugin.
According to their report, the vulnerability stemmed from a lack of file type validation in the plugin’s set_featured_image
function. This allowed attackers to upload malicious image or .php files to the server, potentially leading to remote code execution.
Although exploiting the flaw initially required authenticated access, unauthenticated attacks could also be feasible on sites permitting unauthenticated event submissions. In severe cases, the vulnerability could enable complete website takeovers through webshells or similar methods.
The vulnerability has been assigned the CVE ID CVE-2024-5441, with a high severity rating and a CVSS score of 8.8. Wordfence has shared an in-depth technical analysis of the flaw in their report.
Act Now to Secure Your Sites from Active Exploitation
The security researcher Friderika Baranyai (alias Foxyyy) first identified the vulnerability and reported it through Wordfence’s bug bounty program. Subsequently, Wordfence collaborated with the plugin developers to address the issue in plugin version 7.11.0.
The developers, Webnus, swiftly released the patch in Modern Events Calendar 7.12.0, and the researcher received a $3,094 bounty for the discovery.
Despite the patch being available, Wordfence has detected ongoing exploitation attempts targeting this vulnerability. With over 150,000 active installations of the plugin, numerous websites are at risk worldwide. It is crucial for users to promptly update their sites with the latest plugin version to mitigate potential threats.
We welcome your feedback and insights in the comments section.