If you’re using the Modern Events Calendar plugin for your WordPress website, make sure to update to version 7.12.0 immediately. A security flaw was discovered in the Modern Events Calendar, a widely used WordPress plugin with over 150,000 active installations. The previous version has a vulnerability that can crash your entire website. To make matters worse, researchers report that hackers are already exploiting the flaw in the wild.
Issue Discovery and Reporting
The vulnerability was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence’s Bug Bounty Extravaganza. With this Foxy earned a bounty of $3,094.00 for this critical discovery.
According to Wordfence, the security issue stems from a lack of file type validation in the plugin’s set_featured_image function, which is used for uploading and setting featured images for events. It has tracked as CVE-2024-5441, is a missing file type validation bug in the set_featured_image function. This allows malicious actors to upload harmful PHP files, which could lead to a complete site takeover. Any authenticated user, including subscribers and registered members, can exploit this flaw.
Hackers are actively targeting this critical vulnerability to upload arbitrary files and execute code remotely. It is essential to update the plugin to the latest version to prevent any potential attacks.
Wordfence Support
Wordfence, a leading WordPress security provider, emphasized its commitment to securing the web by investing in quality vulnerability research and collaborating with top-tier researchers. Wordfence acted swiftly to protect its users, releasing a firewall rule to block any exploits targeting this vulnerability on May 28, 2024, for Wordfence Premium, Wordfence Care, and Wordfence Response users. Sites using the free version of Wordfence received the same protection on June 27, 2024.
The Webnus team, developers of the Modern Events Calendar, were contacted on May 24, 2024, and responded on June 14, 2024. After receiving full disclosure details, they released a patch on July 8, 2024. Users are urged to update to the latest patched version, 7.12.0, immediately.
WordPress is a popular open-source content management system (CMS) used by millions of websites worldwide. Its user-friendly interface, extensive plugin ecosystem, and customizable themes make it a favorite among bloggers, businesses, and developers. However, its widespread use also makes it a target for cyberattacks.
Security is a critical concern for WordPress sites. Vulnerabilities can arise from core software, themes, or plugins. Common security issues include outdated software, weak passwords, and unpatched vulnerabilities.
Remember, security is a top priority, and staying up-to-date with the latest security patches is crucial to protecting your website from hackers.