Hackers try to take advantage of a vulnerability within the Trendy Occasions Calendar WordPress plugin that’s current on greater than 150,000 web sites to add arbitrary information to a susceptible web site and execute code remotely.
The plugin is developed by Webnus and is used to prepare and handle in-person, digital, or hybrid occasions.
The vulnerability exploited in assaults is recognized as CVE-2024-5441 and obtained a high-severity rating (CVSS v3.1: 8.8). It was found and reported responsibly on Could 20 by Friderika Baranyai throughout Wordfence’s Bug Bounty Extravaganza.
In a report describing the security problem, Wordfence says that the security problem stems from an absence of file kind validation within the plugin’s ‘set_featured_image’ operate, used for importing and setting featured photographs for the occasions.
The operate takes a picture URL and submit ID, tries to get the attachment ID, and if not discovered, downloads the picture utilizing the get_web_page operate.
It retrieves the picture utilizing wp_remote_get or file_get_contents, and saves it to the WordPress uploads listing utilizing file_put_contents operate.
Trendy Occasion Calendar variations as much as and together with 7.11.0 don’t have any checks for the file kind of extension in uploaded picture information, permitting any file kind, together with dangerous .PHP information, to be uploaded.
As soon as uploaded, these information will be accessed and executed, enabling distant code execution on the server and doubtlessly main to finish web site takeover.
Any authenticated person, together with subscribers and any registered members, can exploit CVE-2024-5441.
If the plugin is about to permit occasion submissions from non-members (guests with out accounts), CVE-2024-5441 is exploitable with out authentication.
Webnus fastened the vulnerability yesterday by releasing model 7.12.0 of Trendy Occasion Calendar, which is the really helpful improve to keep away from the chance of a cyberattack.
Nonetheless, Wordfence stories that hackers are already making an attempt to leverage the problem in assaults, blocking over 100 makes an attempt in 24 hours.
Given the continuing exploitation efforts, customers of the Trendy Occasions Calendar and Trendy Occasions Calendar Lite (free model) ought to to improve to the newest model as quickly as doable or disable the plugin till they’ll carry out the replace.