Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins (updated, with patch)

On March 1st, 2024, during the second Wordfence Bug Bounty Extravaganza, they received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner, a WordPress plugin with more than 10,000+ active installations, and our Wordfence Threat Intelligence team identified the same vulnerability in miniOrange’s Web Application Firewall, a WordPress plugin with more than 300+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.

Update as of 3/26/2024: Both plugins have been patched and re-opened in the WordPress repository. We recommend updating to the respective patched versions immediately.  

Props to Stiofan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,250.00 for this discovery during the Bug Bounty Program Extravaganza. While plugins with fewer than 50,000 Active Installations are out of scope for standard researchers in the Bug Bounty Program, they made an exception due to the potential impact of this vulnerability. The mission of Wordfence is to Secure the Web, so they are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through the Bug Bounty Program.

Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability on March 4, 2024. Sites using the free version of Wordfence received the same protection on April 3, 2024.

MiniOrange was contacted on March 5, 2024, and Wordfence received a response on March 6, 2024. After providing full disclosure details the same day, the developer closed the plugins. After patching in 3/26 the plugins were re-opened in the WordPress plugin repository.

Source and more details: https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpatched-in-two-permanently-closed-miniorange-wordpress-plugins-1250-bounty-awarded/

Posted in Vulnerability.