Hackers target WordPress calendar plugin used by 150,000 sites

Hackers target WordPress calendar plugin used by 150,000 sites

July 9, 2024 at 01:22PM

Hackers are exploiting a vulnerability in the Modern Events Calendar WordPress plugin, affecting over 150,000 websites. The vulnerability, CVE-2024-5441, allows remote code execution and complete website takeover. A fix in version 7.12.0 has been released, but ongoing attacks are reported, prompting users to upgrade immediately or disable the plugin.

Based on the meeting notes, we have the following key takeaways:

1. The Modern Events Calendar WordPress plugin, developed by Webnus and used on over 150,000 websites, has a high-severity vulnerability identified as CVE-2024-5441. This vulnerability allows hackers to upload arbitrary files and execute remote code on vulnerable sites.

2. The security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, which allows any file type, including risky .PHP files, to be uploaded.

3. Hackers are actively trying to exploit the vulnerability, with over 100 attempted attacks blocked within 24 hours.

4. Webnus has released version 7.12.0 of the Modern Events Calendar, which addresses the vulnerability. It is highly recommended for users to upgrade to this latest version to avoid the risk of a cyberattack.

5. If unable to perform the upgrade immediately, users should consider disabling the plugin until the update can be completed.

These takeaways provide a clear understanding of the security issue and the necessary actions for users to protect their websites from potential cyberattacks.

Full Article