Critical Vulnerability in Popular WordPress Calendar Plugin

David Pottrell

David Pottrell

Hi! I’m a web developer and Head of Digital at Nebula Design who loves all things tech. When I’m not surrounded by code, I’m probably reading up on the latest development trends or on the pottery wheel.

I got my start in technology as a self-taught web freelancer, after studying at university and joining a small agency, Nebula Design was created. I specialise in both front-end and back-end development, typically around WordPress, I’ve also got expertise in Search Engine Optimisation, Ecommerce and various emerging tech standards.

Published on July 11th, 2024

A severe security vulnerability in the Modern Events Calendar plugin for WordPress has been discovered, affecting over 150,000 websites. This flaw allows authenticated users to upload arbitrary files, leading to potential remote code execution.

On May 20th, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Modern Events Calendar, a WordPress plugin with more than 150,000 estimated active installations.

István Márton

Exploit details:

  • Vulnerability: CVE-2024-5441, identified by Friderika Baranyai.
  • Impact: High severity with a CVSS score of 8.8.
  • Solution: Update to version 7.12.0 released by Webnus.

Bounty and Response

The vulnerability was responsibly reported through Wordfence’s Bug Bounty Program, earning the researcher a $3,094 reward. Wordfence released a firewall rule to protect premium users on May 28, 2024, and for free users on June 27, 2024. Webnus released the patch on July 8, 2024, after full disclosure details were provided.

Recommended Actions

Update Immediately: Ensure your Modern Events Calendar plugin is updated to version 7.12.0 or later.

Monitor for Suspicious Activity: Regularly check your site for any unusual activities.

Enhance Security: Implement additional security measures, including firewalls and regular audits.

Disclosure Timeline

For more information, visit the original source on Wordfence.

Stay secure with Nebula Design.