EXECUTIVE SUMMARY
Hackers are actively exploiting a high-severity vulnerability CVE-2024-5441 in the Modern Events Calendar WordPress plugin, used by over 150,000 websites to manage events. This vulnerability allows arbitrary file uploads and remote code execution, posing a risk of complete website takeover. The security flaw arises from insufficient file type validation in the plugin’s 'set_featured_image' function, which can be exploited by any authenticated user, including subscribers and registered members. If the plugin permits event submissions from non-members, it is exploitable without authentication. To mitigate this threat, users should immediately disable the plugin until the update is performed, as attackers are already leveraging this issue. It should monitor for any signs of unauthorized file uploads or unusual activity on their sites.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Hackers are actively exploiting a high-severity vulnerability CVE-2024-5441 in the Modern Events Calendar WordPress plugin, used by over 150,000 websites to manage events. This vulnerability allows arbitrary file uploads and remote code execution, posing a risk of complete website takeover. The security flaw arises from insufficient file type validation in the plugin’s 'set_featured_image' function, which can be exploited by any authenticated user, including subscribers and registered members. If the plugin permits event submissions from non-members, it is exploitable without authentication. To mitigate this threat, users should immediately disable the plugin until the update is performed, as attackers are already leveraging this issue. It should monitor for any signs of unauthorized file uploads or unusual activity on their sites.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]