Tech

Malware Threat Detected: Uninstall Miniorange WordPress Plugins Without Delay

Published on March 19th, 2024

Attention WordPress users utilizing miniOrange’s Malware Scanner and Web Application Firewall plugins: it is strongly advised to remove these plugins from your websites due to the identification of a critical security vulnerability.

This flaw, identified as CVE-2024-2172 and rated 9.8 out of 10 on the CVSS scoring system, was discovered by Stiofan. It affects the following versions of the plugins:

As of March 7, 2024, the maintainers have permanently closed both plugins. Malware Scanner, with over 10,000 active installs, and Web Application Firewall, with more than 300 active installations, are impacted.

Wordfence issued a report last week stating, “This vulnerability allows an unauthenticated attacker to potentially gain administrative privileges by altering the user password.”

Uninstall Miniorange Plugins From WordPress Immediately

The problem stems from an absence of capability checks within the function mo_wpns_init(), which allows an attacker without authentication to change any user’s password at will. This exploit can then raise their privileges to those of an administrator, potentially resulting in a full compromise of the website.

“Once a hacker has secured administrative access to a WordPress site, they gain the power to manipulate it just like any regular administrator,” Wordfence explained.

“This means they can upload files for plugins and themes, which might include malicious zip files with backdoors, as well as alter posts and pages to redirect visitors to other malicious sites or inject spam content.”

This development coincides with the recent warning from the WordPress security firm regarding a similar high-severity privilege escalation vulnerability found in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including those before 5.3.0.0.

Addressed on March 11, 2024, with the release of version 5.3.1.0, this issue allows an authenticated attacker to grant themselves administrative privileges by adjusting the user role. The plugin boasts over 10,000 active installations.

“This vulnerability enables authenticated attackers with subscriber-level permissions or higher to elevate their access to that of a site administrator, potentially leading to a complete takeover of the site,” stated István Márton.