There is a critical warning and WordPress site owners should take a look to it. It is learned that thousands of sites could be at risk of due to vulnerabilities in certain plugins. The Wordfence team at WordPress security company Defiant highlighted the dangers which are posed by discontinued MiniOrange plugins. The danger is specifically with the Malware Scanner and Web Application Firewall.
The issue has been identified as CVE-2024-2172 and the risk rating is 9.8 of 10. The plugins allow attackers to escalate their privileges to administrator status. This means unauthorized individuals could potentially change user passwords and thereafter can gain full control over affected websites.
However, the plugins were discontinued on March 7 and by then there were more than 10,000 active Malware Scanner installations and over 300 Web Application Firewall installations. Site owners are advised to delete these plugins immediately.
Well, the threat has not ended yet. Another privilege escalation vulnerability was identified in the widely used RegistrationMagic plugin and it has impacted more than 10,000 WordPress sites. It is tracked as CVE-2024-1991 and enables authenticated users to grant themselves administrative privileges.
Patch in RegistrationMagic version 5.3.1.0 provides some relief and site administrators are suggested to update their plugins to the latest versions.
It is also advised that WordPress site owners should prioritize security measures and stay informed about potential threats. It is better to exercise regular audits of plugins, prompt updates and adherence to best security practices are essential as well.
Meanwhile, plugin developers and the broader WordPress community are also suggested to remain vigilant to avoid such threats. By working together to address vulnerabilities and strengthen security measures, safeguarding of websites can easily be achieved.