WordPress admins running the Modern Events Calendar plugin on their websites must rush to update their sites with the latest plugin release. That’s because hackers have started exploiting a serious vulnerability in the Calendar plugin to target WordPress sites.
The WordPress security service Wordfence recently shared details about a serious security vulnerability in the Modern Events Calendar plugin.
As explained in their post, the Modern Events Calendar plugin had an arbitrary file upload vulnerability. The flaw appeared due to missing file type validation in the plugin’s set_featured_image
function. An adversary could exploit this flaw to upload malicious image files or .php files on the target server to trigger remote code execution.
While exploiting the flaw required the attacker to have authenticated access, unauthenticated attacks could also become possible on sites allowing unauthenticated event submissions. In the worst exploitation attempts, the vulnerability could even allow a complete website takeover via webshells or other techniques.
The vulnerability received the CVE ID CVE-2024-5441, achieving a high severity rating and a CVSS score of 8.8. Wordfence has shared the detailed technical analysis of the flaw in its post.
The vulnerability first caught the attention of security researcher Friderika Baranyai (alias Foxyyy), who then reported it via Wordfence’s bug bounty program. Following his report, Wordfence coordinated with the plugin developers to patch the flaw that impacted plugin release 7.11.0.
Eventually, the developers, Webnus, patched the flaw with the Modern Events Calendar 7.12.0. Besides, the researcher won a $3,094 bounty for the bug report.
While the patch has been released, Wordfence detected active exploitation attempts for this vulnerability. Given that the plugin boasts over 150,000 active installations, the flaw risks thousands of websites globally. Therefore, users must ensure updating their sites with the latest plugin release to avoid potential threats.
Let us know your thoughts in the comments.
Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
latesthackingnews.com 2011 – 2024 All rights reserved