Plugin vulnerable to arbitrary file uploads
CVE-2024-5441

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Modern Events Calendar
Modern Events Calendar Lite
Vendor
CVE Published:
9 July 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

The Modern Events Calendar plugin for WordPress contains a vulnerability that allows authenticated attackers with subscriber access or higher to upload arbitrary files due to inadequate file type validation in the set_featured_image function. This security flaw can potentially pave the way for remote code execution on the server hosting the affected site. Additionally, the plugin's configuration settings permit administrators to grant event submission capabilities to unauthenticated users, amplifying the risk, as it opens the opportunity for unauthenticated attackers to exploit this vulnerability and harm the system.

Affected Version(s)

Modern Events Calendar * <= 7.11.0

Modern Events Calendar Lite * <= 7.11.0

News Articles

favicon imageBleepingComputer

Hackers target WordPress calendar plugin used by 150,000 sites

Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely.

7 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://webnus.net/modern-events-calendar/

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Friderika Baranyai
.