Is your organization’s website hosted on WordPress? According to a recent discovery by the Wordfence team, your site may be at risk. The Wordfence team at WordPress security company Defiant have unveiled critical vulnerabilities in two discontinued MiniOrange plugins, as well as another concerning flaw in the widely-used RegistrationMagic plugin. These vulnerabilities pose significant risks to thousands of WordPress websites, potentially leading to complete site compromise.
Addressing The Threat
The first alarming revelation comes with the discontinuation of the Malware Scanner and Web Application Firewall plugins from MiniOrange. These plugins contained a critical-severity vulnerability, with a CVSS score of 9.8. The flaw, identified as a missing capability check, allowed unauthenticated attackers to escalate their privileges to administrator status.
Shockingly, this vulnerability enabled attackers to change any user’s password without authentication or password validation. Site owners are strongly advised to remove these plugins immediately to mitigate the potential risks of exploitation.
Unfortunately, the threat doesn’t end there. Another privilege escalation, impacting over 10,000 active installations, allowed authenticated users, even those with subscriber roles, to elevate their privileges to administrators. Through an insecure implementation of a function responsible for updating user roles, attackers could effectively take over vulnerable websites.
Implications For Businesses + Organizations
These recent incidents underscore the critical importance of promptly addressing vulnerabilities within WordPress plugins. With the sheer number of plugins available, site owners must remain vigilant and proactive in their security measures.
Regularly updating plugins, conducting security audits, and promptly removing discontinued or vulnerable plugins are essential steps in safeguarding WordPress websites against potential exploits.
Wary of vulnerabilities in your network? Claim your free consultation today by calling 703-790-0400 or emailing sales@optfinITy.com
Leave a Reply