Hackers are Actively Exploiting CVE-2024-5441 Flaw, 150,000 Sites at Risk

A severe vulnerability (CVE-2024-5441) has been discovered in the widely used WordPress plugin Modern Events Calendar, leaving over 150,000 websites exposed to potential remote code execution attacks. This critical flaw allows malicious actors, even those with minimal subscriber-level access, to upload arbitrary files, including malicious PHP code, potentially compromising entire websites.

The Modern Events Calendar plugin is vulnerable due to missing file type validation in the set_featured_image function. This flaw enables attackers with subscriber access or higher to upload any file type, including malicious PHP scripts, to the server. In some configurations, even unauthenticated users could exploit this flaw if the plugin settings permit guest event submissions.

“On sites where unauthenticated event submissions are allowed, this means unauthenticated attackers could upload a malicious PHP file and achieve remote code execution,” Wordfence explains.

“As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.”

Wordfence, a security firm specializing in WordPress security, has already detected and blocked 134 attacks exploiting this vulnerability in the past 24 hours. The urgency to address this issue cannot be overstated, as active exploitation is underway.

The CVE-2024-5441 vulnerability was responsibly disclosed by a researcher known as Foxyyy, who reported it through the Wordfence Bug Bounty Program, earning a bounty of $3,094.00.

Users of the Modern Events Calendar plugin are strongly urged to update to the latest version, 7.12.0, which contains the necessary patch to fix this vulnerability. Ensuring that your site is running this updated version will protect it from potential exploits targeting this flaw.