Two critical vulnerabilities in WordPress plugins from miniOrange will never receive a patch. More than 10,000 websites use the Malware Scanner plugin to detect attackers. However, the tool itself is exploitable by malicious actors.
The vulnerability in Malware Scanner was found by WordPress researcher Stiofan O’Connor for a “Bug Bounty Extravaganza” by Wordfence. Although the number of active installations is relatively low (the minimum is normally 50,000 for Bug Bounty rewards), Wordfence made an exception due to the serious nature of the vulnerability.
No longer maintained
After further investigation, researchers found the same vulnerability existing in miniOrange’s Web Application Firewall plugin. In the latter case, however, there are only a little over 300 installations. The vulnerability enables privilege escalation and exploits a missing capability check in all versions of both tools. Malicious actors can work their way up to admin on the affected WordPress sites, all of which must remove the plug-ins.
The designation for the vulnerability within both plug-ins is CVE-2024-2172. Wordfence gave it a score of 9.8, with 10.0 as the usual maximum.
Upon Wordfence’s inquiries, MiniOrange confirms it will no longer maintain the plugins, leading researchers to emphasize that keeping them installed on WordPress sites is dangerous. Because the developers will not provide the plugin with updates at all, the tool also cannot scan for future threats that it will not detect without a patch.
Wordfence additionally states that attackers can install a backdoor through the vulnerability. This means that attackers can continue to dwell inside the backend even after the miniOrange plugin has been removed. Threat actors could also redirect website visitors to rogue links as a result, which can cause further damage to these users.
Also read: Thousands of websites infected via vulnerable Popup Builder plugin for WordPress
16 hours ago
