WordPress Calendar Plugin RCE Flaw Exposes 150,000 Sites for Hacking

A security flaw used to be display within the Recent Events Calendar, a widely faded WordPress plugin with over 150,000 stuffed with life installations.

The vulnerability, identified as an Arbitrary File Add flaw, enables authenticated users, reminiscent of subscribers, so as to add arbitrary data to a inclined enviornment, doubtlessly ensuing in remote code execution (RCE).

CVE-2024-5441 – Discovery and Reporting

The vulnerability used to be found and responsibly reported by security researcher Foxy by arrangement of the Wordfence Malicious program Bounty Program.

For this serious discovery, Foxyyy earned a bounty of $3,094.00.

Wordfence, a number one WordPress security supplier, emphasised its dedication to securing the on-line by investing in quality vulnerability research and participating with top-tier researchers.

Wordfence acted mercurial to guard its users. On May possibly also just 28, 2024, Wordfence Top charge, Wordfence Care, and Wordfence Response users obtained a firewall rule to dam any exploits focusing on this vulnerability.

Net sites the utilization of the free model of Wordfence obtained the identical security on June 27, 2024.

The Webnus crew, builders of the Recent Events Calendar, had been contacted on May possibly also just 24, 2024, and responded on June 14, 2024.

After receiving pudgy disclosure details, they launched a patch on July 8, 2024.

Customers are informed to change to the most modern patched model, 7.12.0, today.

The vulnerability used to be found on May possibly also just 20, 2024, all by arrangement of the Malicious program Bounty Extravaganza hosted by Wordfence.

The safety researcher is legendary as Foxyyy identified and responsibly reported the flaw by arrangement of the Wordfence Malicious program Bounty Program.

For this main discovery, Foxyyy earned a bounty of $3,094.00.Wordfence’s mission to stable the on-line is obvious by arrangement of its funding in quality vulnerability research and collaboration with top-tier researchers.

Their dedication to improving the protection of the WordPress ecosystem within the raze contributes to a safer web for all.

Technical Evaluation

The Recent Events Calendar plugin is designed to abet WordPress users arrange and placement up events.

Nevertheless, a prime flaw used to be display within the set_featured_image() characteristic of the MEC_main class, which handles importing and environment featured photos.

public function set_featured_image($image_url, $post_id)  {      $attach_id = $this->get_attach_id($image_url);      if(!$attach_id)      {          $upload_dir = wp_upload_dir();          $filename = basename($image_url);          if(wp_mkdir_p($upload_dir['path'])) $file = $upload_dir['path'].'/'.$filename;          else $file = $upload_dir['basedir'].'/'.$filename;          if(!file_exists($file))          {              $image_data = $this->get_web_page($image_url);              file_put_contents($file, $image_data);          }      }  }  The function downloads the image using the get_web_page() function, which utilizes wp_remote_get() or file_get_contents().  public function get_web_page($url, $timeout = 20)  {      $result = false;      if(function_exists('wp_remote_get'))      {          $result = wp_remote_retrieve_body(wp_remote_get($url, array(              'body' => null,              'timeout' => $timeout,              'redirection' => 5,          )));      }      if($result === false)      {          $http = [];          $result = @file_get_contents($url, false, stream_context_create(array('http'=>$http)));      }      return $result;  }

Sadly, the characteristic lacks file form or extension checks within the inclined model, allowing the add of data with a .php extension. This makes it probably for attackers so as to add and fabricate arbitrary malicious PHP code, ensuing in doable enviornment compromise.

Disclosure Timeline

• May possibly also just 20, 2024: Vulnerability submission obtained.
• May possibly also just 28, 2024: Wordfence Top charge, Care, and Response users obtained security.
• May possibly also just 28, 2024: Contact initiated with the plugin vendor.
• June 14, 2024: Provider confirmed inbox for handling the discussion.
• June 14, 2024: Fat disclosure details sent to the vendor.
• June 27, 2024: Wordfence Free users obtained security.
• July 8, 2024: Patched model 7.12.0 launched.

The Arbitrary File Add vulnerability within the Recent Events Calendar plugin poses a prime threat to WordPress websites the utilization of variations 7.11.0 and earlier.

This vulnerability enables authenticated users to fabricate malicious code on the server, doubtlessly compromising the total enviornment.

Customers are strongly impressed to change to model 7.12.0 today.

Wordfence continues to guard its users by offering timely security measures and participating with researchers to stable the WordPress ecosystem.

Part this advisory with any individual the utilization of the Recent Events Calendar plugin to be obvious their enviornment remains stable.