Security researchers have discovered a critical vulnerability in the Modern Events Calendar plugin for WordPress, affecting all versions up to and including 7.11.0.
The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence’s Bug Bounty Extravaganza.
The vulnerability stems from the plugin’s use of the set_featured_image() function, which facilitates image uploads for events. The function lacks adequate validation for file types and extensions, permitting the upload of files with .php extensions. This oversight is compounded by the fact that uploaded files are stored in the WordPress uploads directory, which is publicly accessible.
public function set_featured_image($image_url, $post_id)
{
$attach_id = $this->get_attach_id($image_url);
if(!$attach_id)
{
$upload_dir = wp_upload_dir();
$filename = basename($image_url);
if(wp_mkdir_p($upload_dir['path'])) $file = $upload_dir['path'].'/'.$filename;
else $file = $upload_dir['basedir'].'/'.$filename;
if(!file_exists($file))
{
$image_data = $this->get_web_page($image_url);
file_put_contents($file, $image_data);
}The plugin uses this function, among other things, for frontend event submission, where by default registered users can submit events and upload a featured image for the event. Depending on the plugin settings, submission can also be allowed for guests, which means that in such cases, users who are not logged in can also use the event submission feature.
The set_featured_image() function downloads the image using the get_web_page() function, which uses the wp_remote_get() or file_get_contents() function.
public function get_web_page($url, $timeout = 20)
{
$result = false;
// Doing WordPress Remote
if(function_exists('wp_remote_get'))
{
$result = wp_remote_retrieve_body(wp_remote_get($url, array(
'body' => null,
'timeout' => $timeout,
'redirection' => 5,
)));
}
// Doing FGC
if($result === false)
{
$http = [];
$result = @file_get_contents($url, false, stream_context_create(array('http'=>$http)));
}
return $result;
}Then it uploads the file to the WordPress uploads directory using the file_put_contents() function.
Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that not only image files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible.
This makes it possible for attackers, with authenticated access such as subscribers, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server. On sites where unauthenticated event submissions are allowed, this means unauthenticated attackers could upload a malicious PHP file and achieve remote code execution.
As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.
Given the widespread use of Modern Events Calendar across numerous WordPress sites (estimated to be over 150,000 installations), the risk posed by this vulnerability is significant. Site administrators are strongly advised to update to the latest version of the plugin immediately. The developers have patched this issue in the latest release, which includes comprehensive file type validation to prevent unauthorized uploads.
