March 15, 2024 at 08:15AM
Thousands of WordPress websites are at risk due to critical vulnerabilities in two MiniOrange plugins, Malware Scanner and Web Application Firewall. The flaw allows unauthorized users to gain administrative privileges and take control of a site. Similarly, another high-severity vulnerability was found in the RegistrationMagic plugin, enabling unauthorized users to elevate their privileges. It is essential for site owners to delete these plugins and update to the latest version to mitigate the risk.
The meeting notes highlight two critical-severity vulnerabilities in WordPress plugins. The first issue affects two discontinued MiniOrange plugins, Malware Scanner and Web Application Firewall, with over 10,000 and 300 active installations respectively. The bug, tracked as CVE-2024-2172 with a CVSS score of 9.8, allows unauthenticated attackers to escalate their privileges to administrator by changing user passwords without proper validation. This could lead to complete site compromise. Site owners are advised to delete these plugins immediately.
The second vulnerability impacts the RegistrationMagic plugin, with over 10,000 active installations, and is tracked as CVE-2024-1991. Authenticated users can exploit an insecure implementation to grant themselves administrative privileges. A patch for this flaw is available in version 5.3.1.0 of RegistrationMagic.
Both vulnerabilities were reported externally through the Wordfence bug bounty program, and the reporting researchers received rewards of $1,250 and $1,313, respectively.
These vulnerabilities highlight the importance of promptly addressing security flaws in third-party plugins to safeguard WordPress sites from potential compromise.