CVE-2024-5441 is a critical vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the Modern Events Calendar plugin for WordPress, developed by Webnus. The flaw exists in the set_featured_image function, which lacks proper validation of uploaded file types. This allows authenticated users with subscriber-level privileges or higher to upload arbitrary files to the web server. Moreover, the plugin’s configuration can permit unauthenticated users to submit events, effectively enabling unauthenticated attackers to exploit the vulnerability. The uploaded files could include malicious scripts, potentially leading to remote code execution (RCE) on the server hosting the WordPress site. The vulnerability affects all versions up to and including 7.11.0. The CVSS v3.1 base score is 8.8, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the ease of exploitation and potential impact make this a critical threat. The vulnerability poses a significant risk to websites using this plugin, especially those that allow event submissions from unauthenticated users, broadening the attack surface.

The impact of CVE-2024-5441 is severe for organizations running WordPress sites with the Modern Events Calendar plugin. Attackers can upload arbitrary files, including web shells or other malicious payloads, enabling remote code execution. This can lead to full compromise of the web server, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is at risk due to potential data exposure, integrity is compromised by unauthorized code execution or content modification, and availability can be disrupted by server manipulation or denial-of-service conditions. The vulnerability is particularly dangerous because it can be exploited by low-privilege users or even unauthenticated users if the plugin settings are misconfigured. This broadens the scope of affected systems and increases the likelihood of exploitation. Organizations with public-facing WordPress sites that rely on this plugin are at risk of significant operational and reputational damage.

To mitigate CVE-2024-5441, organizations should immediately update the Modern Events Calendar plugin to a patched version once released by Webnus. Until a patch is available, administrators should disable event submissions from unauthenticated users to reduce the attack surface. Implement strict file upload restrictions at the web server or application firewall level, allowing only safe file types and scanning uploads for malicious content. Employ web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting this plugin. Regularly audit user roles and permissions to ensure that only trusted users have subscriber-level or higher access. Monitor web server logs for unusual file upload activity or execution of unexpected scripts. Additionally, consider isolating WordPress instances in containerized or sandboxed environments to limit the impact of potential compromises. Finally, maintain regular backups and have an incident response plan ready to quickly recover from any exploitation.