After a serious security vulnerability (CVE-2024-2172) was found, WordPress users who were making use of miniOrange's Web Application Firewall plugins & Malware Scanner are advised to remove it from their websites. The vulnerability was found by Stiofan and has a CVSS rating of 9.8 out of a possible 10. It affects the two plugin versions that follow:

1. Malware Scanner (versions <= 4.7.2)
2. Web Application Firewall (versions <= 2.1.1)

It's important to note that as of March 7, 2024, the maintainers have closed the plugins permanently. Web Application Firewall has more than 300 active installations, compared to over 10,000 for Malware Scanner.

“This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password,” Wordfence reported last week.

The problem stems from a function called “mo_wpns_init()” lacking a capability check. It allows an unauthorized attacker to change any user's password at will and raise their access to admin credentials, potentially resulting in a site-wide compromise.

“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content,” Wordfence said.

This development coincides with a warning from the WordPress security company about a similar high-severity privilege escalation vulnerability that affects all versions of the RegistrationMagic plugin, including those older than 5.3.0.0 (CVE-2024-1991, CVSS score: 8.8).

Version 5.3.1.0, which addresses the problem, was released on March 11, 2024. By altering the user role, an authenticated attacker can get administrative access. There are over 10,000 active installations of the plugin.

“This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise,” István Márton said.