WordPress people of miniOrange’s Malware Scanner and Web Application Firewall plugins are staying urged to delete them from their sites subsequent the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a most of 10 on the CVSS scoring process. It impacts the next variations of the two plugins –
- Malware Scanner (variations <= 4.7.2)
- Web Application Firewall (versions <= 2.1.1)
It’s worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has much more than 300 active installations.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This vulnerability would make it achievable for an unauthenticated attacker to grant them selves administrative privileges by updating the user password,” Wordfence described very last week.
The issue is the final result of a missing capability test in the functionality mo_wpns_init() that allows an unauthenticated attacker to arbitrarily update any user’s password and escalate their privileges to that of an administrator, likely main to a full compromise of the site.
“The moment an attacker has obtained administrative consumer access to a WordPress website they can then manipulate everything on the focused web page as a standard administrator would,” Wordfence explained.
“This includes the means to upload plugin and theme files, which can be malicious zip documents containing backdoors, and modify posts and web pages which can be leveraged to redirect site users to other malicious internet sites or inject spam material.”
The development arrives as the WordPress security business warned of a equivalent high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS rating: 8.8) influencing all variations, together with and prior to 5.3…
The issue, resolved on March 11, 2024, with the release of edition 5.3.1., permits an authenticated attacker to grant themselves administrative privileges by updating the person function. The plugin has much more than 10,000 energetic installations.
“This vulnerability enables authenticated threat actors with subscriber-stage permissions or better to elevate their privileges to that of a web page administrator which could in the long run guide to comprehensive internet site compromise,” István Márton mentioned.
Located this report intriguing? Abide by us on Twitter and LinkedIn to study much more special articles we article.
Some elements of this article are sourced from:
thehackernews.com