According to The HackerNew, two plugins for WordPress, Malware Scanner and Web Application Firewall of miniOrage, are experiencing a serious security error, CVE-2024-2172, discovered by Stiofan, with a critical error score of 9,8 on the system's 10-point scale. CVSS security vulnerability scoring.
The error has a widespread impact because even though the developer was removed from the WordPress application store on March 7.3.2024, 10.000, they can still have an impact because Malware Scanner has recorded installations and activities on up to 300 websites. , while with Web Application Firewall it is XNUMX.
Wordfence said the vulnerability is the result of a lack of checks in the plugin's code, allowing an unauthenticated attacker to arbitrarily update any user's password and escalate privileges to admin. members, potentially leading to a complete compromise of the website.
When having administrative rights, hackers can easily download additional plugins, malicious zip files containing backdoors, and modify website posts to redirect users to other malicious websites.
Previously, a similar plugin, RegistrationMagic, was reported with error code CVE-2024-1991 and CVSS score 8.8, which is also a high severity privilege escalation vulnerability. This plugin has also been downloaded and installed more than 10.000 times.
WordPress is a famous open source content management system (CMS), widely used around the world. The ease of installing, posting and managing content on this CMS platform makes WordPress the ideal platform for all types of websites such as online stores, portals, discussion forums... According to w3techs, this CMS platform is currently chosen by 43,1% of websites in the world.