WordPress users of miniOrange’s Malware Scanner and Web Application Firewall plugins are advised to delete them from their websites following the discovery of a critical security flaw.
The defect, traced as CVE-2024-2172, is rated 9.8 out of a possible 10 in the CVSS scoring system. It impacts the following versions of the two plugins:
It is worth noting that the plugins have been permanently shut down by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installations, Web Application Firewall has more than 300 active installations.
“This vulnerability allows an unauthenticated attacker to grant themselves administrative privileges by updating the user’s password,” Wordfence reported last week.
The issue is the result of a missing capability check in the mo_wpns_init() function that allows an unauthenticated attacker to arbitrarily update any user’s password and elevate their privileges to that of an administrator, potentially leading to a full compromise of the site.
“Once an attacker has gained administrative access to a WordPress site, they can manipulate everything on the targeted site as a normal administrator would,” Wordfence said.
“This includes the ability to upload plugin and theme files, which may be malicious zip files containing backdoors, and edit posts and pages that can be exploited to redirect site users to other malicious sites or insert spam content.”
The development comes as the WordPress security firm warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.
The issue, which was fixed on March 11, 2024, with the release of version 5.3.1.0, allows an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.
“This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator, which could ultimately lead to a complete site compromise,” István Márton said.