The Wordfence team at WordPress security company Defiant warns that a critical severity vulnerability in two MiniOrange plugins that were recently discontinued could put thousands of WordPress websites at risk of being taken over.
The MiniOrange plugins, Malware Scanner, and Web Application Firewall were closed on March 7, two days after the critical flaw was reported to the maintainers. The bug, tracked as CVE-2024-2172 (CVSS score of 9.8), exists due to a missing capability check in a function in both plugins, allowing an unauthenticated attacker to escalate their privileges to the administrator.
The bug was reported externally via the Wordfence bug bounty program, and the reporting researcher received a USD 1,250 reward for the discovery.
Read More: Discontinued Security Plugins Expose Many WordPress Sites to Takeover
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
