Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This popular WordPress calendar plugin is being targeted by hackers, so act now

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).

If your WordPress website is running the Modern Events Calendar plugin, make sure to update immediately, since it carries a high-severity vulnerability that can be abused for full website takeover. To make matters worse, researchers are saying that hackers are already abusing the flaw in the wild.

Cybersecurity researcher Friderika Baranyai first discovered the issue in late May 2024 during the Wordfence Bug Bounty Extravaganza. It is described as a missing file type validation bug, now tracked as CVE-2024-5441. It carries a severity score of 8.8 (high). 

As explained by WordPress security group Wordfence, the plugin lacks file type validation in the ‘set_featured_image’ function, which people can use to upload and set featured images for events. Since the plugin doesn’t check what kind of files are getting uploaded, malicious actors can push harmful .PHP files, as well, which could lead to complete site takeover. Any authenticated user, including subscribers and registered members, can take advantage of the flaw.

Data for sale

A BleepingComputer report claims more than 150,000 WordPress websites are currently using Modern Events Calendar, meaning the attack surface is rather big. 

All versions of the plugin, up to 7.11.0, were said to be vulnerable, and users are advised to update their plugin to version 7.12.0 at least. Wordfence says it is already observing hackers trying to abuse the flaw, as it blocked more than 100 attempts so far.

WordPress is the most popular website builder in the world, currently powering almost half of all websites on the internet. As such, it is a popular target for cybercriminals, but it is generally considered safe and difficult to break. However, WordPress also has a huge online store for themes and add-ons, which are split into freebies and commercial products.

Commercial products are also relatively safe, since they have a dedicated team working on improvements and pushing updates. Free products, however, are often passion projects done by solo developers, or small teams, and are sometimes not updated and maintained, turning into prime targets for threat actors.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.