WordPress administrators using the Modern Events Calendar plugin are urged to update their sites immediately due to a significant security vulnerability. Discovered by Wordfence, the flaw in the plugin involves inadequate file type validation in its set_featured_image function, which can be exploited to upload malicious files. This vulnerability, identified as CVE-2024-5441, has a high severity rating with a CVSS score of 8.8, allowing attackers to potentially execute remote code or even take over websites.
The issue was first reported by security researcher Friderika Baranyai through Wordfence’s bug bounty program, which led to a coordinated patch effort with the plugin’s developers, Webnus. The vulnerability affects plugin version 7.11.0 and has been addressed in the updated release, version 7.12.0. The researcher received a $3,094 bounty for the discovery.
Despite the release of a patch, Wordfence has noted that the vulnerability is actively being exploited by hackers. Given that the plugin is installed on over 150,000 websites, the risk of widespread impact is significant. Sites running the outdated version are highly vulnerable to attacks that could compromise their security.
Users of the Modern Events Calendar plugin are strongly advised to update to the latest version to protect their sites from potential exploitation. Keeping plugins up-to-date is crucial to defending against such serious security threats.