A significant security vulnerability was discovered in the popular WordPress plugin, “Anti-Malware Security and Brute-Force Firewall.” The flaw impacts over 100,000 active installations, creating a security risk for a large number of websites using the tool. The vulnerability was identified and reported by security researchers, prompting an urgent response from the plugin’s developer.

Details of the CSRF Vulnerability

The specific vulnerability is identified as CVE-2024-2194, a Cross-Site Request Forgery (CSRF) flaw. This security issue allowed unauthenticated attackers to inject malicious web scripts into the footer of a website running a vulnerable version of the plugin. This action results in a Stored Cross-Site Scripting (XSS) attack. The injected scripts would then execute in the browsers of anyone who visited the compromised site. The discovery of this critical flaw is credited to security researcher Huli from the cybersecurity firm Patchstack.

Immediate Patch and User Action Required

The vulnerability affected all versions of the Anti-Malware Security and Brute-Force Firewall plugin up to and including version 4.21.84. In response to the disclosure, the plugin’s developer, Eli Scheetz, released a security patch. Website administrators using the plugin are advised to update to the patched version, 4.21.85, immediately. Updating the plugin is the necessary step to mitigate the threat posed by this vulnerability. Administrators can update the plugin through their WordPress dashboard to ensure their site is protected.

Source: https://hothardware.com/news/wordpress-plugin-flaw-exposes-100k-sites