A grave security threat has emerged for WordPress sites and admins here are warned to take appropriate action. If you are currently utilizing miniOrange’s Malware Scanner or Web Application Firewall plugins, it is urged to immediately pay close attention to below information:
A critical flaw has been witnessed and uncovered lately in these plugins and these are identified as CVE-2024-2172. The vulnerability is 9.8 out of 10 and this is indication to it severity. Websites running the following versions of these plugins are at risk:
Malware Scanner (versions <= 4.7.2)
Web Application Firewall (versions <= 2.1.1)
Meanwhile, maintainers of these plugins have decided to permanently close them and it has been already in effect from March 7, 2024. However, the potential of threat still remains if a website is using outdated versions.
The vulnerability may result with a significant risk. It could allow unauthorized access to the dashboard and passwords can be easily manipulated. The exploitation could even lead to complete compromise of the WordPress site. Attackers may easily carry out malicious activities such as uploading harmful files, altering content and even redirecting visitors to malicious sites.
Another concerning security flaw has been identified in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8). It is affecting all versions preceding 5.3.0.0. The flaw allows attackers to become a site administrator and make changes. This can turn up to be a serious threat to the integrity of the website.
It is highly recommended to take immediate action to safeguard WordPress sites. The first and foremost is to remove the miniOrange plugins from the websites and simultaneously ensure that they are not utilizing any vulnerable versions of the RegistrationMagic plugin.