This popular WordPress calendar plugin is being targeted by hackers, so act now

Click here to visit Original posting

If your WordPress website is running the Modern Events Calendar plugin, make sure to update immediately, since it carries a high-severity vulnerability that can be abused for full website takeover. To make matters worse, researchers are saying that hackers are already abusing the flaw in the wild.

Cybersecurity researcher Friderika Baranyai first discovered the issue in late May 2024 during the Wordfence Bug Bounty Extravaganza. It is described as a missing file type validation bug, now tracked as CVE-2024-5441. It carries a severity score of 8.8 (high). 

As explained by WordPress security group Wordfence, the plugin lacks file type validation in the ‘set_featured_image’ function, which people can use to upload and set featured images for events. Since the plugin doesn’t check what kind of files are getting uploaded, malicious actors can push harmful .PHP files, as well, which could lead to complete site takeover. Any authenticated user, including subscribers and registered members, can take advantage of the flaw.

Data for sale

A BleepingComputer report claims more than 150,000 WordPress websites are currently using Modern Events Calendar, meaning the attack surface is rather big. 

All versions of the plugin, up to 7.11.0, were said to be vulnerable, and users are advised to update their plugin to version 7.12.0 at least. Wordfence says it is already observing hackers trying to abuse the flaw, as it blocked more than 100 attempts so far.

WordPress is the most popular website builder in the world, currently powering almost half of all websites on the internet. As such, it is a popular target for cybercriminals, but it is generally considered safe and difficult to break. However, WordPress also has a huge online store for themes and add-ons, which are split into freebies and commercial products.

Commercial products are also relatively safe, since they have a dedicated team working on improvements and pushing updates. Free products, however, are often passion projects done by solo developers, or small teams, and are sometimes not updated and maintained, turning into prime targets for threat actors.

More from TechRadar Pro