CVE-2024-5441
Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File UploadThe Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.
We have discovered 22,950 live websites that are affected by CVE-2024-5441.
Affected Software
| Product |  Modern Events Calendar Lite |
| Category | Wordpress Plugins |
| Vulnerable Domains | 22,950 live websites (75.95% of Modern Events Calendar Lite install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 152 versions ( 92.68% of all versions) |
Details
- Published - Jul 9, 2024
- Updated - Aug 1, 2024
Credits
- Friderika Baranyai (finder)
CVE References
CVE-2024-5441 usage by Country
 United States | 8,043 websites |
 Germany | 3,657 websites |
 France | 2,060 websites |
 Netherlands | 824 websites |
 GB | 716 websites |
 Spain | 623 websites |
 Brazil | 616 websites |
 Italy | 589 websites |
 Switzerland | 534 websites |
 Denmark | 431 websites |
CVE-2024-5441 usage by TLD
| .com | 6,746 websites |
| .org | 3,446 websites |
| .de | 2,369 websites |
| .fr | 929 websites |
| .nl | 864 websites |
| .it | 543 websites |
| .ch | 441 websites |
| .ca | 412 websites |
| .net | 386 websites |
| .co.uk | 361 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-5441
Top websites that are affected by CVE-2024-5441. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******************.cat | Spain | *,*** | |
| *********************.com | United States | **,*** | |
| *************.net | United States | **,*** | |
| ********.app | United States | **,*** | |
| *******************.com | Germany | **,*** | |
| *********************.ca | United States | **,*** | |
| *****.org | United States | **,*** | |
| ***************.org | United States | **,*** | |
| *****.edu | United States | **,*** | |
| **********.ru |  Russia | **,*** |
FAQ
A total of 22,950 websites have been identified as vulnerable to CVE-2024-5441, discovered through global website indexing conducted by WebTechSurvey.
Modern Events Calendar Lite is susceptible to CVE-2024-5441 vulnerability.
Modern Events Calendar Lite versions before, and including, 7.11 are vulnerable to CVE-2024-5441.