$3,094 Bounty Awarded and 150,000 WordPress Sites Protected Against Arbitrary File Upload Vulnerability Patched in Modern Events Calendar WordPress Plugin

_📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors?__Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers! _

On May 20th, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Modern Events Calendar, a WordPress plugin with more than 150,000 estimated active installations. This vulnerability makes it possible for authenticated users such as subscribers to upload arbitrary files to a vulnerable site and achieve remote code execution.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $3,094.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 28, 2024. Sites using the free version of Wordfence received the same protection 30 days later on June 27, 2024.

We contacted the Webnus team on May 24, 2024, and received a response on June 14, 2024. After providing full disclosure details, the developer released a patch on July 8, 2024.

We urge users to update their sites with the latest patched version of Modern Events Calendar, version 7.12.0 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload **Affected Plugins:**Modern Events Calendar, Modern Events Calendar Lite Plugin Slugs:modern-events-calendar, modern-events-calendar-lite Affected Versions:<= 7.11.0 CVE ID:CVE-2024-5441 **CVSS Score:**8.8 (High) CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Researcher/s:Foxyyy **Fully Patched Version:**7.12.0 Bounty Award: $3,094.00

The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.

Technical Analysis

Modern Events Calendar is a WordPress event calendar plugin for organizing and managing events with many features and a user-friendly interface.

Examining the code reveals that the plugin uses the set_featured_image() function in the MEC_main class to upload and set the featured image.

public function set_featured_image($image_url, $post_id)
{
    $attach_id = $this->get_attach_id($image_url);
    if(!$attach_id)
    {
        $upload_dir = wp_upload_dir();
        $filename = basename($image_url);

        if(wp_mkdir_p($upload_dir['path'])) $file = $upload_dir['path'].'/'.$filename;
        else $file = $upload_dir['basedir'].'/'.$filename;

        if(!file_exists($file))
        {
            $image_data = $this->get_web_page($image_url);
            file_put_contents($file, $image_data);
        }

The plugin uses this function, among other things, for frontend event submission, where by default registered users can submit events and upload a featured image for the event. Depending on the plugin settings, submission can also be allowed for guests, which means that in such cases, users who are not logged in can also use the event submission feature.

The set_featured_image() function downloads the image using the get_web_page() function, which uses the wp_remote_get() or file_get_contents() function.

public function get_web_page($url, $timeout = 20)
{
    $result = false;

    // Doing WordPress Remote
    if(function_exists('wp_remote_get'))
    {
        $result = wp_remote_retrieve_body(wp_remote_get($url, array(
            'body' => null,
            'timeout' => $timeout,
            'redirection' => 5,
        )));
    }

    // Doing FGC
    if($result === false)
    {
        $http = [];
        $result = @file_get_contents($url, false, stream_context_create(array('http'=>$http)));
    }

    return $result;
}

Then it uploads the file to the WordPress uploads directory using the file_put_contents() function.

Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that not only image files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible. This makes it possible for attackers, with authenticated access such as subscribers, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server. On sites where unauthenticated event submissions are allowed, this means unauthenticated attackers could upload a malicious PHP file and achieve remote code execution.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Disclosure Timeline

May 20, 2024 – We received the submission for the Arbitrary File Upload vulnerability in Modern Events Calendar via the Wordfence Bug Bounty Program. May 28, 2024– We validated the report and confirmed the proof-of-concept exploit. May 28, 2024– Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability. May 28, 2024– We initiated contact with the plugin vendor asking that they confirm the inbox for handling the discussion. June 14, 2024– The vendor confirmed the inbox for handling the discussion. June 14, 2024– We sent over the full disclosure details. The vendor acknowledged the report and began working on a fix. June 27, 2024– Wordfence Free users received the same protection. July 8, 2024 – The fully patched version of the plugin, 7.12.0, is released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the Modern Events Calendar plugin affecting versions 7.11.0 and earlier. This vulnerability allows authenticated threat actors, with minimal permissions, to execute malicious code on the server. The vulnerability has been addressed in version 7.12.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Modern Events Calendar as soon as possible considering this vulnerability is highly likely to be exploited by threat actors.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 28, 2024. Sites using the free version of Wordfence received the same protection 30 days later on June 27, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post $3,094 Bounty Awarded and 150,000 WordPress Sites Protected Against Arbitrary File Upload Vulnerability Patched in Modern Events Calendar WordPress Plugin appeared first on Wordfence.