In a significant development for WordPress users, a critical security vulnerability has been identified in miniOrange’s Malware Scanner and Web Application Firewall plugins, prompting an urgent recommendation for website owners to uninstall these tools. The detected flaw, designated as CVE-2024-2172, scores a staggering 9.8 on the CVSS scale, representing a severe risk to system integrity.
This vulnerability, uncovered by cybersecurity expert Stiofan, specifically affects Malware Scanner plugin versions up to 4.7.2 and Web Application Firewall plugins up to version 2.1.1. Notably, the maintainers of both plugins have permanently removed them from circulation as of March 7, 2024. Despite this, reports indicate that the Malware Scanner is still being used on over 10,000 active installations, while the Web Application Firewall remains active on more than 300 sites.
As described in a report by Wordfence, the core issue lies in a missing capability check within the function mo_wpns_init(). This oversight allows unauthenticated attackers to manipulate user passwords, effectively elevating their privileges to those of an administrator. Such access could lead to a complete takeover of the affected WordPress site.
Once an attacker secures administrative access, they could engage in activities typically reserved for legitimate administrators. This includes uploading potentially malicious plugins or theme files, which may contain backdoors, or even modifying site content to redirect visitors to harmful sites or inject spam.
The gravity of this situation is underscored by a concurrent report of a similar high-severity privilege escalation vulnerability within the RegistrationMagic plugin, identified as CVE-2024-1991, which also affects all versions up through 5.3.0.0. This particular flaw allows authenticated but lower-level users to upgrade their permissions to those of site administrators, posing a direct risk of complete site compromise. RegistrationMagic, too, has over 10,000 active installations but has since addressed the issue with a security patch released on March 11, 2024.
In terms of tactics and techniques used during these attacks, MITRE ATT&CK’s framework highlights relevant adversary methods. Initial access is likely achieved through the exploitation of these vulnerabilities, while privilege escalation is a key aspect of the attack cycle, allowing attackers to gain administrator-level access without proper authorization.
Overall, WordPress site administrators must act promptly to safeguard their systems against these vulnerabilities. Failure to do so could potentially lead to severe compromises, with harmful consequences not just for website functionality, but also for user safety and data privacy.
For business owners utilizing these plugins, it is crucial to remain vigilant and informed about emerging vulnerabilities and the best practices for cybersecurity, ensuring that their operational environments are secure against unauthorized access.
