Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


On March 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner, a WordPress plugin with more than 10,000+ active installations, and our Wordfence Threat Intelligence team identified the same vulnerability in miniOrange’s Web Application Firewall, a WordPress plugin with more than 300+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.

Update as of 3/26/2024: Both plugins have been patched and re-opened in the WordPress repository. We recommend updating to the respective patched versions immediately.  Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! 

Props to Stiofan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,250.00 for this discovery during our Bug Bounty Program Extravaganza. While plugins with fewer than 50,000 Active Installations are out of scope for standard researchers in our Bug Bounty Program, we made an exception due to the potential impact of this vulnerability. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 4, 2024. Sites using the free version of Wordfence will receive the same protection on April 3, 2024.

We contacted MiniOrange on March 5, 2024, and received a response on March 6, 2024. After providing full disclosure details the same day, the developer closed the plugins permanently. This means that there will never be a patch available for the plugins.

We urge users to delete the miniOrange’s Malware Scanner and the Web Application Firewall plugins from their websites immediately and search for alternative plugins.

Vulnerability Summary from Wordfence Intelligence

Description: Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 – Unauthenticated Privilege Escalation
Affected Plugins: Malware Scanner and Web Application Firewall
Plugin Slugs: miniorange-malware-protection and web-application-firewall
Affected Versions: <= 4.7.2 (for Malware Scanner) and <= 2.1.1 (for Web Application Firewall)
Patched Versions: 4.7.3 (for Malware Scanner) and <= 2.1.2 (for Web Application Firewall)
CVE ID: CVE-2024-2172
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Stiofan
Bounty Award: $1,250.00

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Technical Analysis

Both plugins have the same vulnerability in the same function, so our analysis covers this function.

Examining the code reveals that the plugin adds the mo_wpns_init() function in the mo_mmp_LoginHandler class to the init hook.

add_action( 'init' , array( $this, 'mo_wpns_init' ) );

In this function if the value of the ‘option’ parameter is ‘mo_wpns_change_password’, it calls the handle_change_password() function.

switch(sanitize_text_field($_POST['option']))
{
	case "mo_wpns_change_password":
		$this->handle_change_password(sanitize_text_field($_POST['username'])
			,$_POST['new_password'],$_POST['confirm_password']);		break;
}
function handle_change_password($username,$newpassword,$confirmpassword)
{
	global $mmp_dirName;
	$user  = get_user_by("login",$username);
	$error = wp_authenticate_username_password($user,$username,$newpassword);

	if(is_wp_error($error))
	{
		$this->mo_wpns_login_failed($username);
		return $error;
	}

	if($this->update_strong_password($username,$newpassword,$confirmpassword)=="success")
	{
		wp_set_auth_cookie($user->ID,false,false);
		$this->mo_wpns_login_success($username);
		wp_redirect(get_option('siteurl'),301);
	}
}

The most significant problem and vulnerability is caused by the fact that the wp_authenticate_username_password() function is not used correctly in the handle_change_password() function. The $user object is passed to the authenticate function, which is queried with the get_user_by() function based on the username.

function wp_authenticate_username_password( $user, $username, $password ) {
	if ( $user instanceof WP_User ) {
		return $user;
	}

This parameter should default to null because if it’s a WP_User object, there’s no authentication and password validation, the function just simply returns the user object.

Since there is no authentication and password validation, the update_strong_password() function is executed in the handle_change_password() function in every case where a valid username is supplied, updating the password for the specified user. This made it possible for unauthenticated users to arbitrarily update any user’s password.

As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

March 1, 2024 – We receive the submission of the Privilege Escalation vulnerability in miniOrange’s Malware Scanner via the Wordfence Bug Bounty Program.
March 4, 2024 – We validate the report and confirm the proof-of-concept exploit.
March 4, 2024 – The Wordfence Threat Intelligence team discovers that the same vulnerability exists in the miniOrange’s Web Application Firewall plugin.
March 4, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
March 5, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 6, 2024 – The vendor confirms the inbox for handling the discussion.
March 7, 2024 – The vendor closes the plugins permanently.
April 3, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability affecting versions 4.7.2 and earlier of the miniOrange’s Malware Scanner plugin and versions 2.1.1 and earlier of the miniOrange’s Web Application Firewall plugin. This vulnerability allows unauthenticated threat actors to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The plugins have been permanently closed, and there are no patches available or forthcoming for them.

We encourage WordPress users to delete these plugins from their sites.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of March 4, 2024. Users using the free version of Wordfence will receive the same protection on April 3, 2024.

If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments