Modern Events Calendar, a popular WordPress plugin, has been compromised. Hackers are actively exploiting a serious security vulnerability that allows them to upload and execute code remotely.
Developed by Webnus, the plugin is used by more than 150,000 sites to manage various types of events, ranging from in-person gatherings to virtual webinars. The flaw is identified as CVE-2024-5441 and poses a serious security risk if left unresolved.
Details About the Vulnerability
The flaw in Modern Event Calendar was first identified and reported by Friderika Baranyai on 20 May during the Wordfence Bug Bounty Extravaganza. The security issue stems from insufficient file type validation in the ‘set_featured_image’ function of the plugin, WordFence said in a report.
This function processes an image URL and a post ID. If the attachment ID is not found, it proceeds to download the image using the ‘get_web_page’ function. The image is then fetched using either ‘wp_remote_get’ or ‘file_get_contents’, and stored in the WordPress uploads directory using the ‘file_put_contents’ function.
Versions of Modern Event Calendar up to and including 7.11.0 lack verification for the file type or extension of uploaded images, enabling the upload of any file type, including potentially harmful .PHP files.
Immediate Actions and Updates
Recognizing the severity of the threat, Webnus swiftly responded by releasing an updated version of the plugin, 7.12.0, which addresses this critical vulnerability. This update is essential for all users of both the full and lite versions of the Modern Events Calendar to prevent unauthorized access and potential website hijacking.
Despite the prompt release of the patch, the threat remains active, with reports from Wordfence indicating that over 159 intrusion attempts were blocked within 24 hours following the discovery.
Recommendations for Website Administrators
Website administrators are strongly advised to upgrade their plugin to the latest version immediately. If upgrading is not immediately possible, it is recommended to disable the plugin temporarily to protect against potential attacks.
Given the current exploitation of this vulnerability, taking swift action is crucial for maintaining site security and integrity.