Pierluigi Paganini March 18, 2024

A critical vulnerability in WordPress miniOrange’s Malware Scanner and Web Application Firewall plugins can allow site takeover.

On March 1st, 2024, WordPress security firm Wordfence received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner as part of the company Bug Bounty initiative Extravaganza.

This WordPress plugin has more than 10,000+ active installations. The researchers at the Wordfence Threat Intelligence team also identified the same vulnerability in miniOrange’s Web Application Firewall plugin that has more than 300+ active installations.

An unauthenticated attacker can exploit this vulnerability to gain administrative privileges by updating the user password.

The research urge WordPress administrators to remove the impacted plugins.

“Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately!” reads the advisory.

“This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.”

“Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would,” Wordfence said.

The vulnerability, tracked as CVE-2024-2172 (CVSS score 9.8) impacts the following versions of the plugins:

• Malware Scanner (versions <= 4.7.2)
• Web Application Firewall (versions <= 2.1.1)

The maintainers have closed both plugins since March 7, 2024.

The privilege escalation vulnerability is caused by a missing capability check on the mo_wpns_init() function in the vulnerable plugins.

The issue can lead to complete site compromise, once an attacker gains administrative user access to a WordPress site, they can manipulate it just like any normal administrator. The attacker can upload plugin and theme files, which may contain malicious backdoors, and modifying posts and pages to redirect users to malicious sites or inject spam content.

The researchers who reported this issue, Stiofan, earned a bounty of $1,250.00 under the Wordfence Bug Bounty Program.

“The plugins have been permanently closed, and there are no patches available or forthcoming for them. We encourage WordPress users to delete these plugins from their sites.” concludes the report

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress miniOrange plugins)