A security flaw was discovered in Modern Events Calendar, a widely used WordPress plugin with over 150,000 active installations.

The vulnerability, identified as an arbitrary file upload flaw, allows authenticated users, such as subscribers, to upload arbitrary files to an unsecured site, potentially allowing remote code execution ( RCE) leads to

CVE-2024-5441 – Discovery and reporting

gave weakness Discovered and responsibly reported by security researcher Foxy through the WordPress Bug Bounty Program.

For this important discovery, Foxyyy received a reward of $3,094.00.

WordfenceA leading WordPress security provider underscores its commitment to making the web safer by investing in quality vulnerability research and collaborating with top-notch researchers.

Wordfence moved quickly to protect its users. On May 28, 2024, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to prevent any exploits targeting this vulnerability.

Sites using the free version of Wordfence received the same protection on June 27, 2024.

The Webnus team, developers of the Modern Events Calendar, were contacted on May 24, 2024 and responded on June 14, 2024.

After receiving the full disclosure details, they released a patch on July 8, 2024.

Users are urged to update to the latest patched version 7.12.0 immediately.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

The vulnerability was discovered on May 20, 2024, during the Wordfence sponsored Bug Bounty Extravaganza.

gave security A researcher known as Foxyyy identified the flaw through the Wordfence bug bounty program and responsibly reported it.

For this important discovery, Foxyyy received a reward of $3,094.00. Wordfence’s mission to make the web safer is reflected in its investment in quality vulnerability research and collaboration with top-notch researchers.

Their commitment to enhancing the security of the WordPress ecosystem ultimately contributes to a safer web for all.

Technical analysis

The Modern Events Calendar plugin is designed to help WordPress users organize and manage events.

However, a critical flaw was found in the set_featured_image() function of the MEC_main class, which manages the uploading and setting of featured images.

public function set_featured_image($image_url, $post_id)

{

    $attach_id = $this->get_attach_id($image_url);

    if(!$attach_id)

    {

        $upload_dir = wp_upload_dir();

        $filename = basename($image_url);

        if(wp_mkdir_p($upload_dir['path'])) $file = $upload_dir['path'].'/'.$filename;

        else $file = $upload_dir['basedir'].'/'.$filename;

        if(!file_exists($file))

        {

            $image_data = $this->get_web_page($image_url);

            file_put_contents($file, $image_data);

        }

    }

}

The function downloads the image using the get_web_page() function, which utilizes wp_remote_get() or file_get_contents().

public function get_web_page($url, $timeout = 20)

{

    $result = false;

    if(function_exists('wp_remote_get'))

    {

        $result = wp_remote_retrieve_body(wp_remote_get($url, array(

            'body' => null,

            'timeout' => $timeout,

            'redirection' => 5,

        )));

    }

    if($result === false)

    {

        $http = [];

        $result = @file_get_contents($url, false, stream_context_create(array('http'=>$http)));

    }

    return $result;

}

Unfortunately, a weak version of the function lacks a file type or extension check, allowing files with a .php extension to be uploaded. This makes it possible for attackers to upload and execute arbitrary malicious PHP code, resulting in potential site compromise.

Disclosure timeline

  • May 20, 2024: Threat submission received.
  • May 28, 2024: Wordfence Premium, Care, and Response users get protection.
  • May 28, 2024: Communication with the plugin vendor is initiated.
  • June 14, 2024: Vendor confirmed inbox to handle discussion.
  • June 14, 2024: Full disclosure details sent to vendor.
  • June 27, 2024: Wordfence free users get protection.
  • July 8, 2024: Patched version 7.12.0 released.

An arbitrary file upload vulnerability in the Modern Events Calendar plugin is a critical vulnerability for WordPress sites using versions 7.11.0 and earlier.

This vulnerability allows authenticated users to execute actions. Malicious Code on the server, potentially compromising the entire site.

Users are strongly encouraged to update to version 7.12.0 immediately.

Wordfence continues to protect its users by providing timely security measures and collaborating with researchers to secure the WordPress ecosystem.

Share this advisory with anyone using the Modern Events Calendar plugin to ensure their site remains secure.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo



Source link