March 18, 2024 at 05:57AM
WordPress users are advised to delete miniOrange’s Malware Scanner and Web Application Firewall plugins due to a critical security flaw, with a high CVSS score of 9.8. The flaw allows unauthenticated attackers to gain administrative privileges, leading to potential compromise of the site. Another privilege escalation flaw was found in the RegistrationMagic plugin.
Key takeaways from the meeting notes are:
1. miniOrange’s Malware Scanner and Web Application Firewall plugins for WordPress have a critical security flaw (CVE-2024-2172, CVSS score: 9.8) that allows unauthenticated attackers to grant themselves administrative privileges, potentially leading to a complete compromise of the site.
2. Both plugins have been permanently closed by the maintainers as of March 7, 2024. Malware Scanner has over 10,000 active installs, while Web Application Firewall has more than 300 active installations.
3. Wordfence reported on the vulnerability, highlighting the risk of unauthenticated attackers manipulating site content and injecting malicious files.
4. A similar high-severity privilege escalation flaw (CVE-2024-1991, CVSS score: 8.8) was found in the RegistrationMagic plugin, affecting all versions, including and prior to 5.3.0.0.
5. The flaw in RegistrationMagic was addressed with the release of version 5.3.1.0 on March 11, 2024, but it still has more than 10,000 active installations.
These takeaways highlight the urgency of addressing these security vulnerabilities in the affected WordPress plugins and the potential risks associated with these flaws.