CVE-2024-6522
📋 TL;DR
The Modern Events Calendar WordPress plugin contains a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated attackers with Subscriber-level access or higher to make arbitrary web requests from the vulnerable server. This enables attackers to query and potentially modify internal services that should not be accessible from external networks. All WordPress sites using this plugin up to version 7.12.1 are affected.
💻 Affected Systems
- Modern Events Calendar WordPress Plugin
- Modern Events Calendar Lite WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, steal sensitive data from internal APIs, perform port scanning of internal networks, or attack other internal systems through the vulnerable server.
Likely Case
Attackers will scan internal networks, access metadata services (like AWS/Azure instance metadata), and attempt to interact with internal APIs to extract credentials or sensitive information.
If Mitigated
With proper network segmentation and internal service authentication, impact is limited to information disclosure about internal network structure and potential denial of service against internal services.
🎯 Exploit Status
Exploitation requires at least Subscriber-level WordPress authentication. The vulnerability is in the 'mec_fes_form' AJAX endpoint which accepts arbitrary URLs for server-side requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.12.2 and later
Vendor Advisory: https://mec.webnus.net/change-log/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Modern Events Calendar
4. Click 'Update Now' if available
5. If manual update needed, download version 7.12.2+ from WordPress.org
6. Deactivate plugin, upload new version, reactivate
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable 'mec_fes_form' AJAX function
Add to theme's functions.php or custom plugin:
add_action('init', function() {
remove_action('wp_ajax_mec_fes_form', 'mec_fes_form');
remove_action('wp_ajax_nopriv_mec_fes_form', 'mec_fes_form');
});
Restrict plugin access
linuxTemporarily deactivate the Modern Events Calendar plugin
wp plugin deactivate modern-events-calendar-lite
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WordPress server from internal services
- Add web application firewall rules to block SSRF patterns and restrict outbound requests from WordPress
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Modern Events Calendar → Version. If version is 7.12.1 or lower, you are vulnerable.Check Version:
wp plugin get modern-events-calendar-lite --field=versionVerify Fix Applied:
After updating, verify version is 7.12.2 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=mec_fes_form
- Outbound HTTP requests from WordPress server to internal IP addresses or metadata services
- Multiple failed authentication attempts followed by successful Subscriber login
Network Indicators:
- WordPress server making HTTP requests to internal network ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254, 169.254.170.2)
- Unusual port scanning activity originating from WordPress server
SIEM Query:
source="wordpress.log" AND (uri="/wp-admin/admin-ajax.php" AND parameters.action="mec_fes_form") OR (src_ip="wordpress_server" AND dst_ip IN (RFC1918_ranges, metadata_ips))🔗 References
- https://mec.webnus.net/change-log/
- https://plugins.trac.wordpress.org/browser/modern-events-calendar-lite/trunk/app/features/fes.php#L54
- https://wordpress.org/plugins/modern-events-calendar-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/00bf8f2f-6ab4-4430-800b-5b97abe7589e?source=cve
