WordPress: Forced removal of miniOrange due to vulnerability
A critical security flaw, identified as CVE-2024-2172, has been found in miniOrange’s Malware Scanner and Web Application Firewall plugins for WordPress, prompting urgent deletion by users.
With a severity rating of 9.8 out of 10 on the CVSS scale, the flaw affects Malware Scanner versions up to 4.7.2 and Web Application Firewall versions up to 2.1.1. Discovered by Stiofan, the issue stems from a missing capability check in the mo_wpns_init() function, enabling unauthenticated attackers to update any user’s password and elevate their privileges to that of an administrator. This vulnerability could result in complete site compromise, allowing attackers to manipulate site content, upload malicious files, and redirect users to harmful sites.
Both plugins have been permanently closed by the maintainers as of March 7, 2024. Malware Scanner boasts over 10,000 active installs, while Web Application Firewall has more than 300. The severity of the flaw lies in its potential for unauthorized privilege escalation, granting attackers full administrative control over affected WordPress sites.
In a related development, a high-severity privilege escalation vulnerability (CVE-2024-1991) was discovered in the RegistrationMagic plugin, impacting all versions up to and including 5.3.0.0. Addressed in version 5.3.1.0 released on March 11, 2024, the flaw enables authenticated attackers with subscriber-level permissions or higher to elevate their privileges to that of a site administrator. With over 10,000 active installations, this vulnerability poses a significant risk of complete site compromise.
The exploitation of such vulnerabilities underscores the critical importance of promptly updating plugins and themes to mitigate security risks. Failure to do so could leave WordPress sites vulnerable to exploitation, potentially resulting in severe consequences such as data breaches, content manipulation, and unauthorized access. Users are urged to prioritize security measures and promptly address any identified vulnerabilities to safeguard their WordPress installations.
