vulnerability

WordPress Plugin: web-application-firewall: CVE-2024-2172: Missing Critical Step in Authentication

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Mar 13, 2024

Added

May 15, 2025

Modified

May 5, 2026

Description

The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Solution

web-application-firewall-plugin-cve-2024-2172

References

https://www.cve.org/CVERecord?id=CVE-2024-2172
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-27135
CVE-2024-2172
https://attackerkb.com/topics/CVE-2024-2172
CWE-304
EUVD-EUVD-2024-27135

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report