CVE-2024-2172
Malware Scanner <= 4.7.2 and Web Application Firewall <= 2.1.1 - Unauthenticated Privilege Escalation
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.
| CWE | CWE-304 |
| Vendor | cyberlord92 |
| Product | web application firewall – website security |
| Published | Mar 13, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for cyberlord92 web application firewall – website security
Be the first to know when new critical vulnerabilities affecting cyberlord92 web application firewall – website security are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
cyberlord92 / Web Application Firewall – website security
0 ≤ 2.1.1
cyberlord92 / Malware Scanner
0 ≤ 4.7.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89 wordpress.org: https://wordpress.org/plugins/miniorange-malware-protection/ plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054179%40miniorange-malware-protection&new=3054179%40miniorange-malware-protection&sfp_email=&sfph_mail= plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3054255%40web-application-firewall&new=3054255%40web-application-firewall&sfp_email=&sfph_mail=
Credits
Stiofan O'Connor