A severe security vulnerability in the Modern Events Calendar plugin for WordPress has been discovered, affecting over 150,000 websites. This flaw allows authenticated users to upload arbitrary files, leading to potential remote code execution.
On May 20th, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Modern Events Calendar, a WordPress plugin with more than 150,000 estimated active installations.
István Márton
Exploit details:
- Vulnerability: CVE-2024-5441, identified by Friderika Baranyai.
- Impact: High severity with a CVSS score of 8.8.
- Solution: Update to version 7.12.0 released by Webnus.
Bounty and Response
The vulnerability was responsibly reported through Wordfence’s Bug Bounty Program, earning the researcher a $3,094 reward. Wordfence released a firewall rule to protect premium users on May 28, 2024, and for free users on June 27, 2024. Webnus released the patch on July 8, 2024, after full disclosure details were provided.
Recommended Actions
Update Immediately: Ensure your Modern Events Calendar plugin is updated to version 7.12.0 or later.
Monitor for Suspicious Activity: Regularly check your site for any unusual activities.
Enhance Security: Implement additional security measures, including firewalls and regular audits.
Disclosure Timeline
For more information, visit the original source on Wordfence.
Stay secure with Nebula Design.