CVE-2024-2172 patched in both Malware Scanner and Web Application Firewall plugin
(Security Patch Release Update)
Security Patch Released
We want to announce the release of a crucial patch designed to address vulnerabilities identified in both our Malware Scanner and Web Application Firewall plugin, tagged under the identifier CVE-2024-2172.
The users, using (versions <= 4.7.2) of Malware Scanner and (versions <= 2.1.1) Web Application Firewall should immediately upgrade to the latest version of both the plugin, specifically version 4.7.4 or newer for malware and version 2.1.2 for Web Application Firewall to ensure comprehensive protection. We assure you all that the security patch effectively mitigates the reported vulnerabilities.
Malware Scanner | |
Plugin Name | Malware Scanner (view on wordpress.org) |
Patched? | Yes |
Remediation | Update to version 4.7.3, or a newer patched version |
Affected Version | <= 4.7.2 |
Patched Version | 4.7.3 |
CVE Details
Rollout of a security patch for vulnerability tracked as CVE-2024-2172 by Stiofan - AyeCode Ltd published by Wordfence and others regarding the Unauthenticated Privilege Escalation issue which is attributed to a missing capability check in the function mo_wpns_init() that probably can enable an attacker to arbitrarily update any user's password and escalate their privileges to that of an administrator.
Mitigation
handle_change_password() function has been removed from the init hook as this function was no longer being used in the plugin. This functionality was long deprecated by miniOrange. The obsolete piece of code is now removed as well. Required capability checks and nonces are also added throughout at the necessary places in the plugins.
We have promptly addressed these concerns with the rollout of the security patch. At miniOrange, our dedication to delivering robust security solutions remains steadfast. Each vulnerability report is treated with the utmost seriousness,
We want to assure all our users that our plugin offers even greater security with this latest Security patch. The security issues identified in the miniOrange Malware Scanner and Web Application Firewall plugin have undergone thorough investigation and resolution. The vulnerabilities highlighted in the Wordfence and WordPress Contributors reports have been swiftly patched, rendering the plugin safe for use. Users can now access the updated version for download.
At miniOrange, we take pride in our adherence to the security benchmarks established by WordPress. Our products are meticulously crafted with your security requirements in mind, and we remain steadfast in our commitment to furnishing dependable and trustworthy solutions. We extend our heartfelt gratitude for your continued trust in miniOrange."