Hey there, WordPress admins! If you’re using the Modern Events Calendar plugin on your site, it’s time to take action. Hackers are exploiting a critical vulnerability in this plugin to target WordPress websites.
Alert: Modern Events Calendar Plugin Vulnerability Affects 150K Sites
Wordfence, a trusted WordPress security service, recently uncovered a significant security flaw in the Modern Events Calendar plugin.
In a detailed blog post, Wordfence explained that the vulnerability stemmed from a lack of file type validation in the plugin’s set_featured_image function. This flaw could allow an attacker to upload malicious files, including .php files, to execute remote code on the server.
While exploiting the vulnerability initially required authenticated access, unauthenticated attacks could be possible on sites that allow unauthenticated event submissions. In worst-case scenarios, hackers could take over entire websites using webshells or other tactics.
The vulnerability has been assigned the CVE ID CVE-2024-5441, with a high severity rating and a CVSS score of 8.8. Wordfence’s post provides a detailed technical analysis of the flaw.
Take Action Now: Patch Your Sites to Prevent Exploitation
Security researcher Friderika Baranyai (also known as Foxyyy) first reported this vulnerability to Wordfence through their bug bounty program. Wordfence then collaborated with the plugin developers to patch the flaw in version 7.11.0 of the Modern Events Calendar plugin.
The developers, Webnus, released the fix in version 7.12.0, and the researcher received a $3,094 bounty for their report.
Despite the patch, Wordfence has detected ongoing exploitation attempts targeting this vulnerability. With over 150,000 active installations of the plugin, thousands of websites are at risk. It’s crucial for users to update their sites promptly with the latest plugin release to stay protected.
We’d love to hear your thoughts on this. Share your comments below!
