Modern Events Calendar <= 7.12.1 - Authenticated (Subscriber+) Server Side Request Forgery

The SSRF vulnerability in Modern Events Calendar allows an attacker who has authenticated access (Subscriber role or higher) to craft malicious requests that the plugin will execute on the server's behalf. This can lead to several serious consequences. An attacker could potentially query internal services that are not directly accessible from the outside world, such as databases or administrative interfaces. They could also modify data within these internal systems, depending on the permissions granted to the plugin. The blast radius extends to any internal resources accessible via HTTP/HTTPS from the WordPress server. While requiring authentication, the relatively low privilege level needed (Subscriber) significantly expands the potential attack surface.

Websites using the Modern Events Calendar plugin, particularly those with Subscriber-level users who have access to the plugin's AJAX endpoints, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise on one site could potentially be leveraged to attack others.

• wordpress / composer / npm:

grep -r 'mec_fes_form' /var/www/html/wp-content/plugins/modern-events-calendar/

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=mec_fes_form&url=http://internal-service.local

• wordpress / composer / npm:

wp plugin list --status=active | grep 'modern-events-calendar'

• wordpress / composer / npm:

wp plugin update modern-events-calendar

1. 2024-08-07Disclosure

   disclosure

1. Gereserveerd2024-07-04
2. Gepubliceerd2024-08-07
3. EPSS bijgewerkt2026-04-02

The primary mitigation for CVE-2024-6522 is to upgrade the Modern Events Calendar plugin to a version that includes the security patch. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to suspicious or internal IP addresses. Additionally, restrict the plugin's access to internal resources by implementing stricter network segmentation. Review the plugin's configuration to ensure it is not configured to access sensitive internal services unnecessarily. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using a test request to an internal resource and verifying that the request is blocked or fails.