Discontinued Security Plugins Expose Many WordPress Sites to Takeover
Summary:
Wordfence, has cautioned that thousands of WordPress sites are vulnerable to takeover due to a critical bug in two MiniOrange plugins that were recently discontinued. The plugins, Malware Scanner and Web Application Firewall, were shut down on March 7 after a critical flaw was detected. Tracked as CVE-2024-2172 with a CVSS score of 9.8, the vulnerability arises from a missing capability check in both plugins, allowing unauthenticated attackers to escalate their privileges to administrator by changing user passwords without authentication.
In a separate incident, Wordfence flagged another privilege escalation vulnerability affecting numerous WordPress sites in the RegistrationMagic plugin, which handles user registration functions and boasts over 10,000 active installations. Tracked as CVE-2024-1991, this high-severity flaw allows authenticated users, such as subscribers, to grant themselves administrative privileges by exploiting a poorly implemented function for updating user roles.
Security Officer Comments:
Wordfence explains that this type of privilege escalation can lead to complete site compromise, granting attackers administrative control over the targeted site. The bug was reported externally through Wordfence's bug bounty program, earning the researcher a $1,250 reward. Malware Scanner had over 10,000 active installations, while Web Application Firewall had more than 300 before they were discontinued, prompting site owners to delete these plugins immediately.
Suggested Corrections:
The vulnerability was patched in RegistrationMagic version 5.3.1.0, and the reporting researcher received a $1,313 bug bounty reward. Site administrators are urged to update to the patched version to protect against potential attacks.
Link(s):
https://www.securityweek.com/discontinued-security-plugins-expose-many-wordpress-sites-to-takeover/
https://www.wordfence.com/blog/2024...orange-wordpress-plugins-1250-bounty-awarded/