Login Sign Up

CVE-2024-5441

8.8 HIGH
Remote Code Execution

📋 TL;DR

The Modern Events Calendar WordPress plugin allows arbitrary file uploads due to missing file type validation in the set_featured_image function. This enables authenticated attackers (subscriber-level or higher) to upload malicious files, potentially leading to remote code execution. The vulnerability can also be exploited by unauthenticated users if administrators have enabled event submissions for guests.

💻 Affected Systems

Products:
  • Modern Events Calendar WordPress Plugin
Versions: All versions up to and including 7.11.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable by default; risk increases if administrators enable event submissions for unauthenticated users.

📦 What is this software?

Modern Events Calendar by Webnus

View all CVEs affecting Modern Events Calendar →

Modern Events Calendar Lite by Webnus

View all CVEs affecting Modern Events Calendar Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, malware deployment, or website defacement.

🟠

Likely Case

Unauthorized file uploads leading to webshell installation, backdoor persistence, or limited server access.

🟢

If Mitigated

File upload attempts blocked or logged with no successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires subscriber-level access or unauthenticated access if guest submissions enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.11.1

Vendor Advisory: https://webnus.net/modern-events-calendar/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Modern Events Calendar. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.11.1+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Guest Event Submissions

all

Prevent unauthenticated exploitation by disabling guest event submissions in plugin settings.

Web Application Firewall Rule

all

Block file uploads to the vulnerable endpoint using WAF rules.

🧯 If You Can't Patch

  • Disable the Modern Events Calendar plugin immediately
  • Implement strict file upload restrictions at web server level (e.g., .htaccess rules blocking uploads to wp-content/uploads/mec)

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins > Installed Plugins.

Check Version:

wp plugin list --name='Modern Events Calendar' --field=version

Verify Fix Applied:

Confirm plugin version is 7.11.1 or higher and test file upload functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to /wp-content/uploads/mec/
  • POST requests to /wp-admin/admin-ajax.php with action=mec_featured_image

Network Indicators:

  • File uploads with suspicious extensions (.php, .phtml, .exe) to calendar endpoints

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="mec_featured_image")

📊 Metadata

CVE ID: CVE-2024-5441
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: July 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5441, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)