WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan. It impacts the following versions of the two plugins -
- Malware Scanner (versions <= 4.7.2)
- Web Application Firewall (versions <= 2.1.1)
It's worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations.
"This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence reported last week. Read More..