Connect with us

Tech News

Vulnerability In A WordPress Calendar Plugin Actively Exploited

Published

on

Latest Hacking News

WordPress admins running the Modern Events Calendar plugin on their websites must act quickly to update their sites with the latest plugin release. Hackers have begun exploiting a critical vulnerability in the Calendar plugin to target WordPress sites.

Modern Events Calendar Plugin Vulnerability Puts 150K Sites at Risk

Wordfence, a WordPress security service, recently disclosed a significant security vulnerability in the Modern Events Calendar plugin.

According to their report, the vulnerability in the plugin allowed for arbitrary file uploads. This was due to a lack of file type validation in the plugin’s set_featured_image function. An attacker could leverage this vulnerability to upload malicious image files or .php files to the server, potentially leading to remote code execution.

Although exploiting the vulnerability required authenticated access, unauthenticated attacks could also be possible on sites that allow unauthenticated event submissions. In the worst-case scenarios, the vulnerability could enable a complete takeover of a website through webshells or similar techniques.

The vulnerability has been assigned the CVE ID CVE-2024-5441, with a high severity rating and a CVSS score of 8.8. Wordfence has provided a detailed technical analysis of the flaw in their report.

Update Your Sites Immediately as Hackers Exploit the Vulnerability

The vulnerability was initially discovered by security researcher Friderika Baranyai (also known as Foxyyy), who reported it through Wordfence’s bug bounty program. Following the report, Wordfence worked with the plugin developers to address the vulnerability in plugin version 7.11.0.

Subsequently, the developers, Webnus, released a patch in Modern Events Calendar version 7.12.0. Additionally, the researcher received a $3,094 bounty for the bug report.

See also  Indiana Jones and the Great Circle release date remains a mystery

Despite the patch being available, Wordfence has observed active exploitation attempts targeting this vulnerability. With over 150,000 active installations of the plugin, numerous websites are at risk. It is crucial for users to update their sites with the latest plugin release to mitigate potential threats.

We welcome your thoughts and feedback in the comments section.

Trending