Urgent Action Needed: Hackers Targeting a Popular WordPress Calendar Plugin
If your WordPress site uses the Modern Events Calendar plugin, it’s crucial to update immediately due to a critical vulnerability that could lead to a full website takeover. According to cybersecurity researcher Friderika Baranyai, who discovered the issue during the Wordfence Bug Bounty Extravaganza in late May 2024, the vulnerability (CVE-2024-5441) is categorized with a high severity score of 8.8.
The vulnerability stems from a missing file type validation in the ‘set_featured_image’ function of the plugin. This oversight allows malicious users to upload harmful .PHP files alongside legitimate image uploads for events. As a result, any authenticated user, including subscribers and registered members, could potentially exploit this flaw.
Reports indicate that hackers have already begun exploiting this vulnerability in the wild. A recent BleepingComputer report estimates that over 150,000 WordPress sites currently use the Modern Events Calendar plugin, significantly expanding the attack surface.
All versions of the plugin up to 7.11.0 are vulnerable. Users are strongly advised to update to version 7.12.0 or higher immediately to mitigate the risk. Wordfence, a WordPress security group, has already detected and blocked numerous attempts to exploit this vulnerability, underscoring the urgency of updating.
WordPress, powering nearly half of all websites globally, remains a top target for cybercriminals due to its popularity. While commercial products generally receive timely updates and maintenance, free plugins like Modern Events Calendar, often developed by small teams or individuals, may lag behind in security patches, making them prime targets for malicious activities.