WordPress users who have installed miniOrange’s Malware Scanner and Web Application Firewall plugins are advised to remove them from their websites due to a critical security issue that has been uncovered. The vulnerability, identified as CVE-2024-2172 and credited to Stiofan, has received a severity rating of 9.8 out of 10 on the CVSS scoring system.
It affects the following plugin versions:
- Malware Scanner (versions <= 4.7.2) and
- Web Application Firewall (versions <= 2.1.1).
Notably, the maintainers have permanently discontinued both plugins as of March 7, 2024. Malware Scanner has more than 10,000 active installations, while Web Application Firewall has over 300.
According to Wordfence, the security flaw allows an unauthorized attacker to potentially gain administrative privileges by altering the user password.
The problem stems from a missing capability check in the mo_wpns_init() function, providing an opening for unauthorized users to change any user’s password and boost their privileges to administrator level. This could result in a severe security breach and total control of the website by a malicious actor.
According to Wordfence, once an attacker gains administrative rights on a WordPress site, they have free rein to make alterations as they please, such as uploading harmful plugin or theme files and manipulating posts and pages to carry out further malicious activities like redirects or spam injections.
Concurrently, a critical vulnerability was uncovered by the WordPress security firm in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8), affecting all editions up to version 5.3.0.0.
The flaw was mitigated on March 11, 2024, with the rollout of version 5.3.1.0, which thwarted authenticated attackers from elevating their permissions to administrator level by changing the user role.
Notably, this plugin boasts over 10,000 active installations. István Márton highlighted that this security loophole empowers authenticated individuals with subscriber-level access or higher to boost their privileges to that of a site administrator, potentially leading to a full compromise of the website.
The vulnerability in the RegistrationMagic plugin was caused by improper access controls, allowing authenticated users with lower privileges to exploit the flaw and escalate their permissions to administrator level.
This could enable them to carry out a wide range of malicious actions, compromising the integrity and security of the affected WordPress sites.
It is crucial for website administrators to promptly update the plugin to the latest patched version (5.3.1.0) to protect their websites from potential exploitation.
Additionally, users are advised to monitor their websites for any suspicious activities and conduct regular security audits to ensure the safety of their online platforms.