Hackers are looking to exploit a vulnerability within the Trendy Occasions Calendar WordPress plugin this is provide on greater than 150,000 web pages to add arbitrary information to a susceptible web page and execute code remotely.
The plugin is evolved through Webnus and is used to prepare and set up in-person, digital, or hybrid occasions.
The vulnerability exploited in assaults is known as CVE-2024-5441 and won a high-severity ranking (CVSS v3.1: 8.8). It used to be came upon and reported responsibly on Might 20 through Friderika Baranyai all over Wordfence’s Computer virus Bounty Extravaganza.
In a document describing the protection factor, Wordfence says that the protection factor stems from a loss of document sort validation within the plugin’s ‘set_featured_image’ serve as, used for importing and surroundings featured pictures for the occasions.
The serve as takes a picture URL and publish ID, tries to get the attachment ID, and if now not discovered, downloads the picture the use of the get_web_page serve as.
It retrieves the picture the use of wp_remote_get or file_get_contents, and saves it to the WordPress uploads listing the use of file_put_contents serve as.
Trendy Tournament Calendar variations as much as and together with 7.11.0 don’t have any assessments for the document form of extension in uploaded symbol information, permitting any document sort, together with dangerous .PHP information, to be uploaded.
As soon as uploaded, those information can also be accessed and achieved, enabling faraway code execution at the server and doubtlessly main to finish web page takeover.
Any authenticated person, together with subscribers and any registered individuals, can exploit CVE-2024-5441.
If the plugin is ready to permit tournament submissions from non-members (guests with out accounts), CVE-2024-5441 is exploitable with out authentication.
Webnus fastened the vulnerability the day before today through freeing model 7.12.0 of Trendy Tournament Calendar, which is the really helpful improve to steer clear of the danger of a cyberattack.
Alternatively, Wordfence experiences that hackers are already looking to leverage the problem in assaults, blocking off over 100 makes an attempt in 24 hours.
Given the continuing exploitation efforts, customers of the Trendy Occasions Calendar and Trendy Occasions Calendar Lite (unfastened model) will have to to improve to the most recent model once conceivable or disable the plugin till they may be able to carry out the replace.