WordPress plug-in with 150,000 installations enables arbitrary file uploads
A vulnerability has been discovered in a WordPress plug-in with 150,000 installations that allows the uploading of arbitrary files.
(Image: Postmodern Studio/Shutterstock.com)
According to the IT security company Wordfence, the WordPress plug-in Modern Events Calendar is used on more than 150,000 installations. IT security researchers have discovered a vulnerability in it that allows attackers to upload arbitrary files.
The IT researchers at Wordfence have published an analysis in their blog, according to which the vulnerability was discovered at the end of May. By not checking the file type in the set_featured_image function, attackers can upload arbitrary files. This could allow malicious code to be executed from the network, the analysts explain (CVE-2024-5441, CVSS 8.8, risk "high"). Attackers require the "Subscriber" authorization level or higher. The plug-in allows administrators to allow unauthenticated users to enter events in the settings - in this case, attackers can also smuggle in and execute malicious code without prior login.
Updated plug-in version available
The plug-in Modern Events Calendar in version 7.11.0 and older is affected. Wordfence had already sent the information about the vulnerability to the developers at the end of May. They responded in mid-June and finally released the bug-fixed version 7.12.0 of the plug-in on Monday of this week.
Users of the Modern Event Calendar or the light version should install the latest version as soon as possible.
It was only around two weeks ago that it became known that attackers were able to insert malicious code of the same type into five WordPress plug-ins. There was only an update for one of them. Attackers were capable of using the smuggled-in code to create administrator accounts and thus effectively take over the WordPress instance.
(dmk)