CVE-2024-4180 – This vulnerability in The Events Calendar WordP... (How to Fix)

Q: What is the severity of CVE-2024-4180?

CVE-2024-4180 has a CVSS score of 9.1 (CRITICAL). This vulnerability in The Events Calendar WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites running vulnerable plugin versions, potentially compromising all visitors to affected pages.

📋 TL;DR

This vulnerability in The Events Calendar WordPress plugin allows attackers to inject malicious scripts into web pages viewed by other users. It affects WordPress sites running vulnerable plugin versions, potentially compromising all visitors to affected pages.

💻 Affected Systems

Products:

The Events Calendar WordPress plugin

Versions: All versions before 6.4.0.1

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires AJAX functionality to be enabled (default configuration).

📦 What is this software?

The Events Calendar by Stellarwp

View all CVEs affecting The Events Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, leading to session hijacking, credential theft, defacement, or malware distribution.

🟠

Likely Case

Cross-site scripting attacks that steal session cookies or redirect users to malicious sites.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are already implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction with AJAX endpoints but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.0.1

Vendor Advisory: https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find The Events Calendar plugin. 4. Click 'Update Now' if available, or manually update to version 6.4.0.1 or later.

🔧 Temporary Workarounds

Disable AJAX functionality

all

Temporarily disable AJAX features in the plugin settings to prevent exploitation.

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

Disable or uninstall the vulnerable plugin immediately
Implement web application firewall rules to block malicious payloads

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 6.4.0.1, you are vulnerable.

Check Version:

wp plugin list --name='the-events-calendar' --field=version

Verify Fix Applied:

Confirm plugin version is 6.4.0.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with script tags
Multiple failed AJAX requests with suspicious parameters

Network Indicators:

HTTP requests containing <script> tags in AJAX endpoints
Unexpected redirects from calendar pages

SIEM Query:

source="web_server" AND uri="/wp-admin/admin-ajax.php" AND (body="<script>" OR body="javascript:")

📊 Metadata

CVE ID: CVE-2024-4180

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: June 4, 2024

Last Updated: May 29, 2025

🔗 References

https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/b2a92316-e404-4a5e-8426-f88df6e87550/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4180, you might also want to check these: