Jump to content
  • Hackers target WordPress calendar plugin used by 150,000 sites


    Karlston

    • 322 views
    • 2 minutes
     Share


    • 322 views
    • 2 minutes

    Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely.

     

    The plugin is developed by Webnus and is used to organize and manage in-person, virtual, or hybrid events.

     

    The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence's Bug Bounty Extravaganza.

     

    In a report describing the security issue, Wordfence says that the security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, used for uploading and setting featured images for the events.

     

    The function takes an image URL and post ID, tries to get the attachment ID, and if not found, downloads the image using the get_web_page function.

     

    It retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory using file_put_contents function.

     

    Modern Event Calendar versions up to and including 7.11.0 have no checks for the file type of extension in uploaded image files, allowing any file type, including risky .PHP files, to be uploaded.

     

    Once uploaded, these files can be accessed and executed, enabling remote code execution on the server and potentially leading to complete website takeover.

     

    Any authenticated user, including subscribers and any registered members, can exploit CVE-2024-5441.

     

    If the plugin is set to allow event submissions from non-members (visitors without accounts), CVE-2024-5441 is exploitable without authentication.

     

    Webnus fixed the vulnerability yesterday by releasing version 7.12.0 of Modern Event Calendar, which is the recommended upgrade to avoid the risk of a cyberattack.

     

    However, Wordfence reports that hackers are already trying to leverage the issue in attacks, blocking over 100 attempts in 24 hours.

     

    Given the ongoing exploitation efforts, users of the Modern Events Calendar and Modern Events Calendar Lite (free version) should to upgrade to the latest version as soon as possible or disable the plugin until they can perform the update.

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...