WordPress administrators are urged to swiftly remove miniOrange plugins from their websites due to a critical security vulnerability identified in the Malware Scanner and Web Application Firewall plugins. Rated at 9.8 on the CVSS scale, the flaw allows unauthenticated attackers to attain administrative privileges, posing a significant risk to over 10,000 active installations. The plugins have been permanently closed by maintainers following the discovery of the flaw, which could potentially lead to complete site compromise.
The vulnerability, addressed on March 11, 2024, with the release of version 5.3.1.0, permits attackers to elevate their privileges by updating the user role. István Márton highlighted that authenticated threat actors with subscriber-level permissions or higher could exploit the flaw to gain administrator access, enabling them to manipulate site elements and potentially compromise site integrity. This development underscores the importance of promptly addressing security vulnerabilities to mitigate the risk of exploitation and safeguard WordPress installations.
WordPress security experts emphasize the severity of the situation, as attackers gaining administrative access can manipulate site content, upload malicious files, and inject spam content. The potential for complete compromise of affected sites underscores the urgency for administrators to take immediate action by removing the vulnerable miniOrange plugins. This incident further highlights the evolving threat landscape facing WordPress websites and underscores the critical role of timely patching and proactive security measures to mitigate risks and protect digital assets.
