According to The Hacker New , two WordPress plugins, Malware Scanner and Web Application Firewall by miniOrage, are vulnerable to a serious security flaw, CVE-2024-2172, discovered by Stiofan, with a severity score of 9.8 on a 10-point scale of the CVSS security vulnerability scoring system.

The bug has a wide impact because even though the developer removed it from the WordPress app store on March 7, 2024, it can still have an impact because Malware Scanner has been recorded as being installed and active on up to 10,000 websites, while with Web Application Firewall it is 300.

Wordfence said the vulnerability was the result of a missing check in the plugin's code, allowing an unauthenticated attacker to arbitrarily update any user's password and escalate privileges to administrator, potentially leading to a complete compromise of the website.

With administrative rights, hackers can easily download additional plugins, malicious zip files containing backdoors, and modify website posts to redirect users to other malicious websites.

Previously, a similar plugin, RegistrationMagic, was reported with the bug code CVE-2024-1991 and CVSS score 8.8, which is also a high severity privilege escalation vulnerability. This plugin has also been downloaded and installed more than 10,000 times.

WordPress is a popular open source content management system (CMS) that is widely used in the world. The ease of installation, uploading and managing content on this CMS platform makes WordPress an ideal platform for websites such as online stores, portals, discussion forums, etc. According to w3techs , this CMS platform is currently chosen by 43.1% of websites in the world.