WordPress users of miniOrange’s Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan. It impacts the following versions of the two plugins –
- Malware Scanner (versions <= 4.7.2)
- Web Application Firewall (versions <= 2.1.1)
It’s worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations.
“This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password,” Wordfence reported last week.
The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unauthenticated attacker to arbitrarily update any user’s password and escalate their privileges to that of an administrator, potentially leading to a complete compromise of the site.
“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” Wordfence said.
“This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.”
The development comes as the WordPress security company warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.
The issue, addressed on March 11, 2024, with the release of version 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.
“This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise,” István Márton said.
