Alarm Bells Ring for WordPress Users!

In a startling revelation, Wordfence has issued a security advisory warning that the Malcure Malware Scanner plugin for WordPress harbors a severe vulnerability rated at 8.1 on the severity scale. Alarmingly, no patch is currently available to address this issue!

What’s at Stake?

With over 10,000 active installations, the Malcure Malware Scanner plugin puts numerous websites at risk. The vulnerability stems from an 'Arbitrary File Deletion' flaw linked to a missing capability check in the wpmr_delete_file() function. This means that authenticated attackers can delete files at will, opening the door to potential remote code execution.

Who’s at Risk?

While the requirement for a user to be authenticated does provide a layer of safety, the threshold is alarmingly low. Even individuals with just 'Subscriber' level access, the most basic level of user permissions on WordPress, are enough to exploit this vulnerability. This presents a troubling scenario for sites that allow user registrations.

Immediate Action Needed!

According to Wordfence, "Authenticated attackers with subscriber-level access or higher can delete arbitrary files, particularly when advanced mode is enabled on the site." As of now, there is no fix on the horizon, prompting experts to strongly recommend that users uninstall the plugin immediately to mitigate risks.

Malcure Plugin Temporarily Removed!

In light of the discovered vulnerability, the Malcure Malware Scanner plugin has been pulled from the WordPress repository for review. Users searching for the plugin will encounter a warning indicating its unavailability.

Stay Informed!

As the WordPress community grapples with this serious security flaw, it’s crucial to stay updated on preventive measures and alternatives to ensure your site remains secure. Don’t wait for a breach—act now!