July 9, 2024 By Bill Toulas
Hackers are trying to exploit a vulnerability in the Modern Events Calendar WordPress plugin that is present on more than 150,000 websites to upload arbitrary files to a vulnerable site and execute code remotely.
The plugin is developed by Webnus and is used to organize and manage in-person, virtual, or hybrid events.
The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence's Bug Bounty Extravaganza.
In a report describing the security issue, Wordfence says that the security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, used for uploading and setting featured images for the events.
The function takes an image URL and post ID, tries to get the attachment ID, and if not found, downloads the image using the get_web_page function.
It retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory using file_put_contents function.
