Following the discovery of a critical security vulnerability, WordPress users using the miniOrange malware scanner and web application firewall plug-in are urged to remove them from their sites.
The defect is tracked as CVE-2024-2172, rated 9.8 out of 10 on the CVSS scoring system. It affects the following versions of both plugins –
It is worth noting that as of March 7, 2024, these plugins have been permanently shut down by the maintainers. The malware scanner has over 10,000 active installations, and the web application firewall has over 300 active installations.
Wordfence reported last week: “This vulnerability allows an unauthenticated attacker to grant himself administrative privileges by updating a user’s password.”
This issue is caused by a missing functionality check in the mo_wpns_init() function, which could allow an unauthenticated attacker to arbitrarily update the password of any user and escalate their privileges to those of an administrator, potentially leaving the site completely compromised.
“Once an attacker gains administrative user access to a WordPress site, they can manipulate any content on the target site just like a normal administrator,” Wordfence said.
“This includes the ability to upload plugin and theme files, which may be malicious zip files containing backdoors, as well as the ability to modify posts and pages that can be used to redirect site users to other malicious sites or inject spam content of email. “
Meanwhile, the WordPress security company warned that a similar high-severity privilege escalation flaw (CVE-2024-1991, CVSS score: 8.8) exists in the RegistrationMagic plug-in, which affects all versions, including 5.3.0.0 and earlier.
The issue was resolved with the release of version 5.3.1.0 on March 11, 2024, allowing an authenticated attacker to grant themselves administrative rights by updating a user role. The plugin has over 10,000 active installations.
István Márton said: “This vulnerability allows an authenticated threat actor with subscriber-level permissions or higher to escalate their privileges to those of a site administrator, which could ultimately lead to a site being compromised. Completely damaged.”
