CVE-2024-25902 – WordPress Malware Scanner Plugin <= 4.7.2 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-25902
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2. The Malware Scanner plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 4.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-2-admin-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-52176 – WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-52176
Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.1. La vulnerabilidad de omisión de autenticación mediante suplantación de identidad en miniorange Malware Scanner permite acceder a funciones que no están correctamente restringidas por las ACL. Este problema afecta a Malware Scanner: desde n/a hasta 4.7.1. The Malware Scanner plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 4.7.1 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass IP blocking functionality. • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-1-ip-restriction-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-693: Protection Mechanism Failure •