Event Alert! Over 150K Websites at Risk from High-Severity Plugin Flaw

Planning to jazz up your site with event flair? Beware the party crashers! Over 150,000 websites using the Modern Events Calendar plugin are under siege by hackers exploiting CVE-2024-5441. Update pronto or face the music! 🎉💻🛑 #EventPluginHack

Hot Take:

Move over, Hogwarts School of Witchcraft and Wizardry, because the world of plugins has its own Defense Against the Dark Arts class, and it’s called updating. Yes, the Modern Events Calendar plugin for WordPress has been caught with its security pants down, thanks to a vulnerability that’s practically holding a “Hack Me” sign. But fear not, dear webmasters, for the spell of patching has been cast, and it’s time to wave your wands (or cursors) and click “update” before the dark wizards, I mean hackers, come out to play.

Key Points:

  • A vulnerability in the Modern Events Calendar plugin is like an open invitation to a hacker house party.
  • Over 150,000 websites could become the event of the season for the wrong crowd.
  • Bug bounty hunters are the unsung heroes, bringing home the bacon and saving our bacon simultaneously.
  • Not all types of uploads are fun. Without proper checks, a .PHP file could crash your website’s party.
  • If you’ve got this plugin, update like your online life depends on it—because it kinda does.
Title: Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload
Cve id: CVE-2024-5441
Cve state: PUBLISHED
Cve assigner short name: Wordfence
Cve date updated: 07/09/2024
Cve description: The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.

Need to know more?

When Plugins Attack

Imagine this: you're hosting a lovely virtual soiree using your trusty Modern Events Calendar, and BAM! A wild hacker appears. How? Through a little oversight called CVE-2024-5441. It's the digital equivalent of leaving your front door open with a neon "Welcome" sign for cybercriminals. This vulnerability lets attackers upload whatever they want, and I mean whatever. We're talking PHP files, the kind that says "I'm the captain now" to your website.

Bounty Hunters Are Our BFFs

Enter the bounty hunters, but instead of chasing intergalactic fugitives, they're hunting bugs. And not just any bugs, but the ones that leave your site more exposed than a celebrity's Instagram account. Friderika Baranyai, not unlike a digital Indiana Jones, discovered the treacherous trap and reported it responsibly. That means before the bad guys could RSVP "yes" to wrecking your site.

Check Yourself Before You Wreck Yourself

The heart of the issue is a function as innocently named as "setfeaturedimage." Sounds harmless, right? Wrong. It's more like, "set_featured backdoor for hackers." With no file type validation, it's a free-for-all, and PHP files are crashing the party, turning your event into a hackathon. And not the cool kind where people invent the next big app.

Open Door Policy Gone Wrong

Let's talk about the VIP list, or in this case, the VHP (Very Hackable Plugins) list. Any Tom, Dick, or Harry with a subscriber account could exploit this vulnerability. Heck, if you were feeling extra welcoming and allowed non-members to submit events, you just gave them the keys to the kingdom—no authentication needed. It's like having a bouncer at your club who's actually a cardboard cutout.

The Magic Wand of Updates

But don't despair! The wizards at Webnus waved their magic wands and poofed up version 7.12.0, which puts that vulnerability to bed without a bedtime story. The catch? You actually have to update to this version to close the door on this unwelcome guest. And you might want to hurry because the hackers are already knocking, and they don't take "no" for an answer.

So there you have it, folks. The world of cybersecurity is a wild rollercoaster, and the only ticket you need is constant vigilance and updates. Now go forth and patch like a pro.

Tags: CVE-2024-5441, Modern Events Calendar exploit, Remote Code Execution, vulnerability patching, Webnus update, WordPress Plugin Vulnerability, WordPress security issue