Hackers target WordPress calendar plugin used by 150,000 sites


Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely.

The plugin is developed by Webnus and is used to organize and manage in-person, virtual, or hybrid events.

The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence’s Bug Bounty Extravaganza.

In a report describing the security issue, Wordfence says that the security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, used for uploading and setting featured images for the events.

The function takes an image URL and post ID, tries to get the attachment ID, and if not found, downloads the image using the get_web_page function.

It retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory using file_put_contents function.

Modern Event Calendar versions up to and including 7.11.0 have no checks for the file type of extension in uploaded image files, allowing any file type, including risky .PHP files, to be uploaded.

Once uploaded, these files can be accessed and executed, enabling remote code execution on the server and potentially leading to complete website takeover.

Any authenticated user, including subscribers and any registered members, can exploit CVE-2024-5441.

If the plugin is set to allow event submissions from non-members (visitors without accounts), CVE-2024-5441 is exploitable without authentication.

Webnus fixed the vulnerability yesterday by releasing version 7.12.0 of Modern Event Calendar, which is the recommended upgrade to avoid the risk of a cyberattack.

However, Wordfence reports that hackers are already trying to leverage the issue in attacks, blocking over 100 attempts in 24 hours.

Given the ongoing exploitation efforts, users of the Modern Events Calendar and Modern Events Calendar Lite (free version) should to upgrade to the latest version as soon as possible or disable the plugin until they can perform the update.



Source link