A critical vulnerability was found in miniOrange’s Malware Scanner and Web Application Firewall plugins, allowing unauthenticated attackers to gain admin access to WordPress sites. This highlights ongoing challenges for website administrators in securing their digital assets against cyber threats.
CVE-2024-2172: A Critical WordPress Vulnerability
The core issue revolves around a privilege escalation vulnerability identified as CVE-2024-2172, with a critical severity level and a CVSS score of 9.8.
This flaw affected versions up to and including 4.7.2 of the Malware Scanner plugin and version 2.1.1 of the Web Application Firewall plugin. It enabled unauthenticated users to elevate their privileges to administrator status by updating the user password through a missing capability check in the mo_wpns_init() function.
The vulnerability was discovered by a researcher named Stiofan, who reported it through the Wordfence Bug Bounty Program during their second Bug Bounty Extravaganza on March 1, 2024. Wordfence, a leading provider of WordPress security solutions, confirmed the flaw and identified that it also affected miniOrange’s Web Application Firewall plugin.
In recognition of the discovery, Stiofan was awarded a bounty of $1,250.00. Wordfence acted swiftly to mitigate the risk posed by this vulnerability. On March 4, 2024, Premium, Care, and Response users of Wordfence received a firewall rule to protect against exploits targeting this flaw. Users of the accessible version of Wordfence were scheduled to receive the same protection on April 3, 2024.
Upon notification of the vulnerability, miniOrange responded by permanently closing the affected plugins on March 7, 2024, leaving no patch or update available for users.
This drastic measure highlights the severity of the vulnerability and the potential risks to WordPress sites if left unaddressed. This incident is a stark reminder of the importance of maintaining up-to-date security measures for WordPress sites. Website administrators are urged to delete the affected miniOrange plugins from their sites immediately and seek alternative solutions to ensure their digital assets remain secure.
The discovery and resolution of this vulnerability demonstrate the critical role of bug bounty programs and collaborative efforts between security researchers and plugin developers in identifying and mitigating security risks.
The Wordfence Bug Bounty Program, in particular, has proven invaluable in securing the WordPress ecosystem by encouraging researchers to report vulnerabilities responsibly. The discontinuation of miniOrange’s Malware Scanner and Web Application Firewall plugins after discovering a critical privilege escalation vulnerability is a cautionary tale for the WordPress community.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment