WordPress Calendar Plugin RCE Flaw Exposes 150,000 Sites for Hacking

A security flaw was discovered in the Modern Events Calendar, a widely used WordPress plugin with over 150,000 active installations.

The vulnerability, identified as an Arbitrary File Upload flaw, allows authenticated users, such as subscribers, to upload arbitrary files to a vulnerable site, potentially leading to remote code execution (RCE).

EHA

CVE-2024-5441 – Discovery and Reporting

The vulnerability was discovered and responsibly reported by security researcher Foxy through the Wordfence Bug Bounty Program.

For this critical discovery, Foxyyy earned a bounty of $3,094.00.

Wordfence, a leading WordPress security provider, emphasized its commitment to securing the web by investing in quality vulnerability research and collaborating with top-tier researchers.

Wordfence acted swiftly to protect its users. On May 28, 2024, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to block any exploits targeting this vulnerability.

Sites using the free version of Wordfence received the same protection on June 27, 2024.

The Webnus team, developers of the Modern Events Calendar, were contacted on May 24, 2024, and responded on June 14, 2024.

After receiving full disclosure details, they released a patch on July 8, 2024.

Users are urged to update to the latest patched version, 7.12.0, immediately.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The vulnerability was discovered on May 20, 2024, during the Bug Bounty Extravaganza hosted by Wordfence.

The security researcher known as Foxyyy identified and responsibly reported the flaw through the Wordfence Bug Bounty Program.

For this significant discovery, Foxyyy earned a bounty of $3,094.00.Wordfence’s mission to secure the web is evident through its investment in quality vulnerability research and collaboration with top-tier researchers.

Their commitment to enhancing the security of the WordPress ecosystem ultimately contributes to a safer web for all.

Technical Analysis

The Modern Events Calendar plugin is designed to help WordPress users organize and manage events.

However, a critical flaw was found in the set_featured_image() function of the MEC_main class, which handles uploading and setting featured images.

public function set_featured_image($image_url, $post_id)

{

    $attach_id = $this->get_attach_id($image_url);

    if(!$attach_id)

    {

        $upload_dir = wp_upload_dir();

        $filename = basename($image_url);

        if(wp_mkdir_p($upload_dir['path'])) $file = $upload_dir['path'].'/'.$filename;

        else $file = $upload_dir['basedir'].'/'.$filename;

        if(!file_exists($file))

        {

            $image_data = $this->get_web_page($image_url);

            file_put_contents($file, $image_data);

        }

    }

}

The function downloads the image using the get_web_page() function, which utilizes wp_remote_get() or file_get_contents().

public function get_web_page($url, $timeout = 20)

{

    $result = false;

    if(function_exists('wp_remote_get'))

    {

        $result = wp_remote_retrieve_body(wp_remote_get($url, array(

            'body' => null,

            'timeout' => $timeout,

            'redirection' => 5,

        )));

    }

    if($result === false)

    {

        $http = [];

        $result = @file_get_contents($url, false, stream_context_create(array('http'=>$http)));

    }

    return $result;

}

Unfortunately, the function lacks file type or extension checks in the vulnerable version, allowing the upload of files with a .php extension. This makes it possible for attackers to upload and execute arbitrary malicious PHP code, leading to potential site compromise.

Disclosure Timeline

  • May 20, 2024: Vulnerability submission received.
  • May 28, 2024: Wordfence Premium, Care, and Response users received protection.
  • May 28, 2024: Contact initiated with the plugin vendor.
  • June 14, 2024: Vendor confirmed inbox for handling the discussion.
  • June 14, 2024: Full disclosure details sent to the vendor.
  • June 27, 2024: Wordfence Free users received protection.
  • July 8, 2024: Patched version 7.12.0 released.

The Arbitrary File Upload vulnerability in the Modern Events Calendar plugin poses a significant threat to WordPress sites using versions 7.11.0 and earlier.

This vulnerability allows authenticated users to execute malicious code on the server, potentially compromising the entire site.

Users are strongly encouraged to update to version 7.12.0 immediately.

Wordfence continues to protect its users by providing timely security measures and collaborating with researchers to secure the WordPress ecosystem.

Share this advisory with anyone using the Modern Events Calendar plugin to ensure their site remains secure.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.