Wordfence printed an advisory on the WordPress Malcure Malware Scanner plugin, which was found to have a vulnerability rated at a severity stage of 8.1. On the time of publishing, there isn’t any patch to repair the issue.
Screenshot Exhibiting 8.1 Severity Score
Malcure Malware Scanner Vulnerability
The Malcure Malware Scanner plugin, put in on over 10,000 WordPress web sites, is weak to “Arbitrary File Deletion attributable to a lacking functionality examine on the wpmr_delete_file() operate” by authenticated attackers. The truth that an attacker wants authentication as a person makes it rather less possible for it to be exploited, nevertheless not by a lot as a result of it solely requires subscriber stage authentication, which is the bottom stage of authentication. The “subscriber” function is the default stage of registration on a WordPress web site (if registration is allowed).
In line with Wordfence:
“This makes it doable for authenticated attackers, with Subscriber-level entry and above, to delete arbitrary information making distant code execution doable. That is solely exploitable when superior mode is enabled on the location.”
There isn’t any identified patch out there for the plugin and customers are cautioned to take vital actions corresponding to uninstalling the plugin to mitigate danger.
The plugin is at present unavailable for obtain with a discover displaying that it’s underneath overview.
Screenshot Of Malcure Plugin At WordPress Repository
Learn Extra WordPress Information
WordPress Replace 6.8.2 – Ends Safety Assist For 0.9% of Websites
Featured Picture by Shutterstock/Kues