Hackers have targeted the WordPress Calendar plugin, a widely used WordPress tool with over 150,000 active installations. This significant security flaw, identified as an Arbitrary File Upload flaw (CVE-2024-5441), allows authenticated users, such as subscribers, to upload arbitrary files to a vulnerable site, potentially leading to remote code execution (RCE).

The vulnerability was discovered on May 20, 2024, during the Bug Bounty Extravaganza hosted by Wordfence. Security researcher Foxyyy identified and responsibly reported the flaw through the Wordfence Bug Bounty Program, earning a bounty of $3,094.00 for this critical discovery. Wordfence, a leading WordPress security provider, highlighted its commitment to securing the web by investing in quality vulnerability research and collaborating with top-tier researchers.

Swift Response and Protection Measures

Wordfence acted swiftly to protect its users. On May 28, 2024, Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to block any exploits targeting this vulnerability. Sites using the free version of Wordfence received the same protection on June 27, 2024. The Webnus team, developers of the Modern Events Calendar, were contacted on May 24, 2024, and responded on June 14, 2024. After receiving full disclosure details, they released a patch on July 8, 2024. Users are urged to update to the latest patched version, 7.12.0, immediately.

Disclosure Timeline

• May 20, 2024: Vulnerability submission received.
• May 28, 2024: Wordfence Premium, Care, and Response users received protection.
• May 28, 2024: Contact initiated with the plugin vendor.
• June 14, 2024: Vendor confirmed inbox for handling the discussion.
• June 14, 2024: Full disclosure details sent to the vendor.
• June 27, 2024: Wordfence Free users received protection.
• July 8, 2024: Patched version 7.12.0 released.

Technical Analysis

The Modern Events Calendar plugin is designed to help WordPress users organize and manage events.

However, a critical flaw was found in the `set_featured_image()` function of the `MEC_main` class, which handles uploading and setting featured images.

public function set_featured_image($image_url, $post_id)

{

    $attach_id = $this->get_attach_id($image_url);

    if(!$attach_id)

    {

        $upload_dir = wp_upload_dir();

        $filename = basename($image_url);

        if(wp_mkdir_p($upload_dir[‘path’])) $file = $upload_dir[‘path’].’/’.$filename;

        else $file = $upload_dir[‘basedir’].’/’.$filename;

        if(!file_exists($file))

        {

            $image_data = $this->get_web_page($image_url);

            file_put_contents($file, $image_data);

        }

    }

}

The function downloads the image using the get_web_page() function, which utilizes wp_remote_get() or file_get_contents().

public function get_web_page($url, $timeout = 20)

{

    $result = false;

    if(function_exists(‘wp_remote_get’))

    {

        $result = wp_remote_retrieve_body(wp_remote_get($url, array(

            ‘body’ => null,

            ‘timeout’ => $timeout,

            ‘redirection’ => 5,

        )));

    }

    if($result === false)

    {

        $http = [];

        $result = @file_get_contents($url, false, stream_context_create(array(‘http’=>$http)));

    }

    return $result;

}

Unfortunately, the function lacks file type or extension checks in the vulnerable version, allowing the upload of files with a .php extension. This makes it possible for attackers to upload and execute arbitrary malicious PHP code, leading to potential site compromise.

The Arbitrary File Upload vulnerability in the Modern Events Calendar plugin poses a significant threat to WordPress sites using versions 7.11.0 and earlier. This vulnerability allows authenticated users to execute malicious code on the server, potentially compromising the entire site. Users are strongly encouraged to update to version 7.12.0 immediately. Wordfence continues to protect its users by providing timely security measures and collaborating with researchers to secure the WordPress ecosystem.

WordPress site administrators, cybersecurity professionals, and developers using the Modern Events Calendar plugin should take immediate action to update their plugin and secure their websites. Sharing this advisory with anyone using the plugin is essential to ensure widespread protection and maintain a secure WordPress ecosystem.