Privilege Escalation in Malware Scanner and Web Application Firewall for WordPress by MiniOrange
CVE-2024-2172

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Web Application Firewall – Website Security; Malware Scanner
Vendor: CVE Published:; 13 March 2024

Summary

The Malware Scanner and the Web Application Firewall plugins for WordPress, developed by MiniOrange, exhibit a vulnerability that allows unauthenticated attackers to escalate their privileges due to a missing capability check in the mo_wpns_init() function. This flaw affects all versions of the Malware Scanner up to and including 4.7.2 and the Web Application Firewall up to and including 2.1.1. Attackers exploiting this vulnerability can gain administrative access, posing serious risks to website integrity and security.

Affected Version(s)

Malware Scanner * <= 4.7.2

Web Application Firewall – website security * <= 2.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/miniorange-mal...

https://wordpress.org/plugins/miniorange-malware-protection/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Mar 4, 2024

Credit

Stiofan O'Connor