CVE-2024-5441

Name of the Vulnerable Software and Affected Versions: Modern Events Calendar plugin for WordPress versions up to, and including, 7.11.0

Description: The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set featured image function. This allows authenticated attackers with subscriber access and above to upload arbitrary files on the affected site's server, which may make remote code execution possible. The plugin also allows administrators to extend the ability to submit events to unauthenticated users, which would enable unauthenticated attackers to exploit this vulnerability. It is estimated that over 150,000 sites are at risk, and hackers are actively exploiting this flaw.

Recommendations: For Modern Events Calendar plugin for WordPress versions up to, and including, 7.11.0: Upgrade to version 7.12.0 ASAP to patch the vulnerability. As a temporary workaround, consider disabling the set featured image function until a patch is available. Restrict access to the plugin's event submission feature to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.