Platform
wordpress
Component
modern-events-calendar-lite
Fixed in
7.12.2
7.12.2
CVE-2024-6522 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Modern Events Calendar plugin for WordPress. This flaw allows authenticated users with Subscriber-level access or higher to initiate web requests to arbitrary locations, potentially exposing internal resources and sensitive data. The vulnerability impacts versions of the plugin up to and including 7.12.1, and a patch is available from the vendor.
The SSRF vulnerability in Modern Events Calendar allows an attacker who has authenticated access (Subscriber role or higher) to craft malicious requests that the plugin will execute on the server's behalf. This can lead to several serious consequences. An attacker could potentially query internal services that are not directly accessible from the outside world, such as databases or administrative interfaces. They could also modify data within these internal systems, depending on the permissions granted to the plugin. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server. While requiring authentication, the relatively low privilege level needed (Subscriber) significantly expands the potential attack surface.
CVE-2024-6522 was publicly disclosed on August 7, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the relatively low privilege requirement suggest a potential for future attacks. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the SSRF nature of the vulnerability.
Exploit Status
EPSS
0.74% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6522 is to upgrade the Modern Events Calendar plugin to a version that includes the security patch. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to suspicious or internal IP addresses. Additionally, restrict the plugin's access to internal resources by implementing stricter network segmentation. Review the plugin's configuration to ensure it is not configured to access sensitive internal services unnecessarily. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using a test request to an internal resource and verifying that the request is blocked or fails.
Update the Modern Events Calendar plugin to the latest available version. This will resolve the Server-Side Request Forgery (SSRF) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6522 is a Server-Side Request Forgery vulnerability in the Modern Events Calendar plugin for WordPress, allowing authenticated users to make arbitrary web requests.
You are affected if you are using Modern Events Calendar plugin versions 7.12.1 or earlier and have authenticated users with Subscriber-level access or higher.
Upgrade the Modern Events Calendar plugin to the latest version, which includes the security patch. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the Modern Events Calendar website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.