"Discontinued Security Plugins Expose Many WordPress Sites to Takeover"

Security researchers at Defiant are warning that thousands of WordPress websites are potentially at risk of takeover due to a critical severity vulnerability in two MiniOrange plugins that were discontinued recently.  The two plugins, Malware Scanner and Web Application Firewall from MiniOrange were closed on March 7, two days after the critical flaw was reported to the maintainers.  Tracked as CVE-2024-2172 (CVSS score of 9.8), the bug exists because of a missing capability check in a function present in both plugins, allowing an unauthenticated attacker to escalate their privileges to administrator.  The researchers noted that because no authentication and password validation is performed when attempting to change a user’s password, an unauthenticated attacker could update the password for any user account as long as they provide a valid username.  The issue was reported externally through the Wordfence bug bounty program and the reporting researchers received a $1,250 reward for the finding.  

SecurityWeek reports: "Discontinued Security Plugins Expose Many WordPress Sites to Takeover"