WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

1 month ago AndyC

Mar 18, 2024NewsroomWebsite Security / Vulnerability

WordPress users of miniOrange’s Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

Mar 18, 2024NewsroomWebsite Security / Vulnerability

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

WordPress users of miniOrange’s Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.

The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan. It impacts the following versions of the two plugins –

It’s worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations.

“This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password,” Wordfence reported last week.

Cybersecurity

The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unauthenticated attacker to arbitrarily update any user’s password and escalate their privileges to that of an administrator, potentially leading to a complete compromise of the site.

“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” Wordfence said.

“This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.”

The development comes as the WordPress security company warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.

The issue, addressed on March 11, 2024, with the release of version 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.

“This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise,” István Márton said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

10 hours ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

16 hours ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

16 hours ago AndyC
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

16 hours ago AndyC
Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

22 hours ago AndyC
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

North Korea’s Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

1 day ago AndyC

You may have missed

Friday Squid Blogging: Searching for the Colossal Squid

4 hours ago AndyC
Showcasing Artwork by Max for Autism Awareness Month

Showcasing Artwork by Max for Autism Awareness Month

4 hours ago AndyC

How to Remove Personal Information From Data Broker Sites

10 hours ago AndyC
Experts warn of malware campaign targeting WP-Automatic plugin

Experts warn of malware campaign targeting WP-Automatic plugin

10 hours ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

10 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.