It has been reported that a severe security vulnerability has been discovered in two WordPress plugins, Malware Scanner, and miniOrange’s Web Application Firewall. According to The Hacker News, the CVE-2024-2172 vulnerability has a critical error score of 9.8 out of 10 on the CVSS security vulnerability scoring system. Although the developer was removed from the WordPress application store on March 7, 2024, the error can still have an impact as both plugins have been installed on thousands of websites. Malware Scanner has recorded installations and activities on up to 10,000 websites. At the same time, the Web Application Firewall has been installed on 300 sites.
The vulnerability results from a lack of checks in the plugin’s code, allowing an unauthenticated attacker to arbitrarily update any user’s password and escalate privileges to admin members. This could lead to a complete website compromise. As a result, Wordfence has advised users to uninstall the plugins immediately.
Hackers with administrative rights can easily download additional plugins and malicious zip files containing backdoors and modify website posts to redirect users to other malicious websites. Addressing this issue as soon as possible is essential, as a similar plugin, RegistrationMagic, was previously reported to have a high-severity privilege escalation vulnerability that affected more than 10,000 websites.
WordPress is a popular open-source content management system used by millions of websites worldwide. According to w3techs, 43.1% of websites currently choose this CMS platform. While WordPress’s ease of use and flexibility have made it a popular choice, it’s crucial to stay vigilant and address any security vulnerabilities as soon as they are discovered to ensure the safety and security of your website.
