Discontinued miniOrange Wordpress plugins expose sites to takeover
Take action: If you are using miniOrange Malware Scanner and Web Application Firewall, remove them from your WordPress sites. They are a risk, not a protection. They won't be fixed.
Learn More
Two critical vulnerabilities have been identified in WordPress plugins developed by miniOrange, affecting over 10,000 websites.
The plugins Malware Scanner and Web Application Firewall are no longer supported by their developers, making them an easy target of attackers if they contain vulnerabilities. Despite the relatively low number of installations for these plugins, Wordfence highlighted the seriousness of the vulnerabilities.
The vulnerabilities are tracked as CVE-2024-2172 (CVSS score 9.8) and allow for privilege escalation due to a missing capability check in the plugins, enabling an unauthenticated attacker to potentially gain administrative access to affected WordPress sites. The flaw can also allow attackers to change the passwords of any user account by providing a valid username, without needing authentication or password validation.
Wordfence reached out to miniOrange, who confirmed that the plugins would no longer be maintained. This means there will be no future updates or patches to address these or any other vulnerabilities, leaving the sites using these plugins at significant risk.
Website owners are advised to remove these plugins immediately to protect their sites from potential compromise.
