WordPress Admins Urged to Take away miniOrange Plugins Because of Important Flaw

WordPress miniOrange Plugins

WordPress customers of miniOrange’s Malware Scanner and Net Software Firewall plugins are being urged to delete them from their web sites following the invention of a vital safety flaw.

The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a most of 10 on the CVSS scoring system. It impacts the next variations of the 2 plugins –

It is price noting that the plugins have been completely closed by the maintainers as of March 7, 2024. Whereas Malware Scanner has over 10,000 energetic installs, Net Software Firewall has greater than 300 energetic installations.

“This vulnerability makes it doable for an unauthenticated attacker to grant themselves administrative privileges by updating the consumer password,” Wordfence reported final week.


The problem is the results of a lacking functionality verify within the perform mo_wpns_init() that allows an unauthenticated attacker to arbitrarily replace any consumer’s password and escalate their privileges to that of an administrator, doubtlessly main to an entire compromise of the location.

“As soon as an attacker has gained administrative consumer entry to a WordPress website they will then manipulate something on the focused website as a traditional administrator would,” Wordfence stated.

“This consists of the power to add plugin and theme information, which might be malicious zip information containing backdoors, and modify posts and pages which might be leveraged to redirect website customers to different malicious websites or inject spam content material.”

The event comes because the WordPress safety firm warned of the same high-severity privilege escalation flaw within the RegistrationMagic plugin (CVE-2024-1991, CVSS rating: 8.8) affecting all variations, together with and prior to five.3.0.0.

The problem, addressed on March 11, 2024, with the discharge of model, permits an authenticated attacker to grant themselves administrative privileges by updating the consumer function. The plugin has greater than 10,000 energetic installations.

“This vulnerability permits authenticated risk actors with subscriber-level permissions or larger to raise their privileges to that of a website administrator which might finally result in full website compromise,” István Márton said.

Notify of
Inline Feedbacks
View all comments
Previous Post
South African Government Pension Data Leak Fears Spark Probe

South African Authorities Pension Information Leak Fears Spark Probe

Next Post
Shodan Dorks

Shodan Dorks

Related Posts