Websites using WordPress need to remove these two plugins.

According to The Hacker News , two WordPress plugins, Malware Scanner and Web Application Firewall from miniOrage, are experiencing a critical security vulnerability, CVE-2024-2172, discovered by Stiofan, which has a severity score of 9.8 out of 10 on the CVSS vulnerability scoring system.

The vulnerability had a widespread impact because, even though the developer removed it from the WordPress app store on March 7, 2024, it could still cause problems as Malware Scanner was recorded as having been installed and active on up to 10,000 websites, compared to 300 for Web Application Firewall.

Wordfence stated that this vulnerability resulted from a lack of checks in the plugin's code, allowing an attacker to arbitrarily update any user's password and elevate privileges to administrator without authentication, potentially leading to a complete website compromise.

With administrative privileges, hackers can easily download additional plugins, malicious zip files containing backdoors, and modify website posts to redirect users to other malicious websites.

Previously, a similar plugin called RegistrationMagic was reported with vulnerability code CVE-2024-1991 and CVSS score 8.8, which is also a high-severity privilege escalation vulnerability. This plugin has also been downloaded and installed more than 10,000 times.

WordPress is a popular open-source content management system (CMS) widely used around the world . Its ease of installation, content uploading, and management makes it an ideal platform for various types of websites, such as online stores, portals, and discussion forums. According to w3techs , 43.1% of websites worldwide currently use this CMS platform.