CVE-2024-5441 — Unrestricted File Upload in Modern Events Calendar

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

8.8HIGHNVD

EPSS

19.7%

top 4.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Webnus Modern Events Calendar Webnus Modern Events Calendar Lite

Timeline

PublishedJul 9

Description

The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthentica…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDwebnus/modern_events_calendar< 7.12.0

▶CVEListV5webnus/modern_events_calendar7.11.0

▶CVEListV5webnus/modern_events_calendar_lite7.11.0

▶NVDwebnus/modern_events_calendar_lite6.5.6

🔴Vulnerability Details

GHSA

GHSA-3f7w-7j77-73m5: The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image↗2024-07-09

▶

CVEList

Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload↗2024-07-09

▶

VulnCheck

webnus modern_events_calendar Unrestricted Upload of File with Dangerous Type↗2024

▶