This popular WordPress calendar plugin is being targeted by hackers, so act now

News
By published

A patch is already available, so update now

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

If your WordPress website is running the Modern Events Calendar plugin, make sure to update immediately, since it carries a high-severity vulnerability that can be abused for full website takeover. To make matters worse, researchers are saying that hackers are already abusing the flaw in the wild.

Cybersecurity researcher Friderika Baranyai first discovered the issue in late May 2024 during the Wordfence Bug Bounty Extravaganza. It is described as a missing file type validation bug, now tracked as CVE-2024-5441. It carries a severity score of 8.8 (high). 

As explained by WordPress security group Wordfence, the plugin lacks file type validation in the ‘set_featured_image’ function, which people can use to upload and set featured images for events. Since the plugin doesn’t check what kind of files are getting uploaded, malicious actors can push harmful .PHP files, as well, which could lead to complete site takeover. Any authenticated user, including subscribers and registered members, can take advantage of the flaw.

Data for sale

A BleepingComputer report claims more than 150,000 WordPress websites are currently using Modern Events Calendar, meaning the attack surface is rather big. 

All versions of the plugin, up to 7.11.0, were said to be vulnerable, and users are advised to update their plugin to version 7.12.0 at least. Wordfence says it is already observing hackers trying to abuse the flaw, as it blocked more than 100 attempts so far.

WordPress is the most popular website builder in the world, currently powering almost half of all websites on the internet. As such, it is a popular target for cybercriminals, but it is generally considered safe and difficult to break. However, WordPress also has a huge online store for themes and add-ons, which are split into freebies and commercial products.

Commercial products are also relatively safe, since they have a dedicated team working on improvements and pushing updates. Free products, however, are often passion projects done by solo developers, or small teams, and are sometimes not updated and maintained, turning into prime targets for threat actors.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update
Apple iPhone 16 Pro REVIEW
The iPhone 17 Air looks impressively slim in this new comparison image, but that just makes me more worried about the specs
Matt Murdock smiling in Daredevil: Born Again episode 5 and Kamala Khan looking stunned in The Marvels
Daredevil: Born Again episode 5 just revealed what Kamala Khan has been up to since The Marvels, and now I'm more excited for the next superhero team to appear in the MCU
Google Pixel Watch 3, 41mm and 45mm
Google says it will fix broken Wear OS 5.1 update, but why does this keep happening?
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Millwall FC The Den

The UK's first football club mobile network is here - but you probably won't guess which team has launched it
See more latest
Most Popular
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
Josie and Matt laughing in front of the Google Pixel 9a
TechRadar Podcast: Is the Pixel 9a ugly? Has Apple ruined the smartwatch market? And is Samsung's One UI in trouble?
Apple iPhone 16 Pro REVIEW
The iPhone 17 Air looks impressively slim in this new comparison image, but that just makes me more worried about the specs
Matt Murdock smiling in Daredevil: Born Again episode 5 and Kamala Khan looking stunned in The Marvels
Daredevil: Born Again episode 5 just revealed what Kamala Khan has been up to since The Marvels, and now I'm more excited for the next superhero team to appear in the MCU
Google Pixel Watch 3, 41mm and 45mm
Google says it will fix broken Wear OS 5.1 update, but why does this keep happening?
Two Android phones on a green and blue background showing Google Messages
Google Messages just added a fun upgrade to one of its best chat features
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the world's richest men criticizes the spending of billions of dollars on buying laptops for US classrooms with no apparent improvement in results