WordPress customers of miniOrange’s Malware Scanner and Net Software Firewall plugins are being urged to delete them from their web sites following the invention of a crucial security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a most of 10 on the CVSS scoring system and found by Stiofan. It impacts the next variations of the 2 plugins –
It is price noting that the plugins have been completely closed by the maintainers as of March 7, 2024. Whereas Malware Scanner has over 10,000 energetic installs, Net Software Firewall has greater than 300 energetic installations.
“This vulnerability makes it potential for an unauthenticated attacker to grant themselves administrative privileges by updating the consumer password,” Wordfence reported final week.
The problem is the results of a lacking functionality verify within the operate mo_wpns_init() that allows an unauthenticated attacker to arbitrarily replace any consumer’s password and escalate their privileges to that of an administrator, probably main to an entire compromise of the location.
“As soon as an attacker has gained administrative consumer entry to a WordPress web site they will then manipulate something on the focused web site as a standard administrator would,” Wordfence mentioned.
“This contains the flexibility to add plugin and theme information, which will be malicious zip information containing backdoors, and modify posts and pages which will be leveraged to redirect web site customers to different malicious websites or inject spam content material.”
The event comes because the WordPress security firm warned of the same high-severity privilege escalation flaw within the RegistrationMagic plugin (CVE-2024-1991, CVSS rating: 8.8) affecting all variations, together with and prior to five.3.0.0.
The problem, addressed on March 11, 2024, with the discharge of model 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the consumer position. The plugin has greater than 10,000 energetic installations.
“This vulnerability permits authenticated risk actors with subscriber-level permissions or increased to raise their privileges to that of a web site administrator which might finally result in full web site compromise,” István Márton mentioned.
