WordPress customers of miniOrange’s Malware Scanner and Net Utility Firewall plugins are being urged to delete them from their web sites following the invention of a crucial safety flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a most of 10 on the CVSS scoring system. It impacts the next variations of the 2 plugins –
It is value noting that the plugins have been completely closed by the maintainers as of March 7, 2024. Whereas Malware Scanner has over 10,000 energetic installs, Net Utility Firewall has greater than 300 energetic installations.
“This vulnerability makes it attainable for an unauthenticated attacker to grant themselves administrative privileges by updating the consumer password,” Wordfence reported final week.
The difficulty is the results of a lacking functionality examine within the operate mo_wpns_init() that allows an unauthenticated attacker to arbitrarily replace any consumer’s password and escalate their privileges to that of an administrator, doubtlessly main to an entire compromise of the positioning.
“As soon as an attacker has gained administrative consumer entry to a WordPress web site they’ll then manipulate something on the focused web site as a traditional administrator would,” Wordfence mentioned.
“This consists of the flexibility to add plugin and theme information, which might be malicious zip information containing backdoors, and modify posts and pages which might be leveraged to redirect web site customers to different malicious websites or inject spam content material.”
The event comes because the WordPress safety firm warned of the same high-severity privilege escalation flaw within the RegistrationMagic plugin (CVE-2024-1991, CVSS rating: 8.8) affecting all variations, together with and prior to five.3.0.0.
The difficulty, addressed on March 11, 2024, with the discharge of model 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the consumer function. The plugin has greater than 10,000 energetic installations.
“This vulnerability permits authenticated menace actors with subscriber-level permissions or greater to raise their privileges to that of a web site administrator which might finally result in full web site compromise,” István Márton mentioned.
