Recent Vulnerabilities in WordPress Plugins: Malware Scanner Issues

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 3 min read

WordPress Malware Scanner Plugin Contains Vulnerability

The Malcure Malware Scanner plugin has been identified with a high-severity vulnerability, rated at 8.1, and is currently shut down in the WordPress repository. This vulnerability allows authenticated attackers to delete arbitrary files due to a missing capability check on the wpmr_delete_file() function.

WordPress Malware Scanner Plugin Contains Vulnerability

Image courtesy of Search Engine Journal

The plugin has over 10,000 installations. Despite requiring user authentication for exploitation, the risk remains significant as it only necessitates subscriber-level access, the lowest level on WordPress sites.

According to Wordfence, "This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible."

Users are advised to uninstall the plugin immediately as there is no known patch available.

Malcure Plugin Screenshot

Malcure Plugin At WordPress Repository

Image courtesy of Search Engine Journal

Malware Scanner Plugin Vulnerabilities

The Malware Scanner WordPress plugin prior to version 4.5.2 does not sanitize and escape its settings, leading to potential Cross-Site Scripting (XSS) attacks. Malicious users with administrator privileges can store harmful Javascript code, especially when unfiltered_html is disallowed, such as in multisite setups.

CVE Details

  • CVE ID: CVE-2022-1995
  • Severity: Moderate
  • CVSS Score: 4.8/10
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High

For more details, visit CVE-2022-1995 and the WPScan Vulnerability.

Recent Vulnerable WordPress Plugins

Vulnerable plugins have been a significant cause of attacks on WordPress sites, accounting for about 55.9% of all hacking incidents. Users are encouraged to keep their plugins updated to mitigate risks.

Duplicator – WordPress Migration Plugin

The Duplicator plugin, used for site migration and backups, has faced an arbitrary file download vulnerability. Attackers could exploit this flaw to access and download sensitive files. A critical update was released in version 1.3.28 and Duplicator Pro Version 3.8.71.

ThemeGrill Demo Importer

This plugin allows users to import themes and content. A vulnerability allows hackers to take control of admin accounts. A patch was issued in version 1.6.3.

Profile Builder Plugin

A flaw in this plugin allowed unauthorized admin account registrations, impacting all versions up to 3.1.0. Users must update to version 3.1.1 for security.

Flexible Checkout Fields for WooCommerce

This plugin, which customizes checkout fields, had vulnerabilities that enabled malicious code injection. Updates were released in versions 2.3.2 and 2.3.3.

Async JavaScript

The Async JavaScript plugin faced a vulnerability allowing remote code execution attacks. The latest secure version is 2.20.03.01.

For additional details on the vulnerabilities, visit the blog on MalCare.

Malware Removal Strategies

If you suspect a malware infection, consider using tools like Wordfence for scanning and cleaning your site. Some recommended practices include:

  • Regularly update plugins and themes.
  • Change file permissions appropriately.
  • Disable XML-RPC API.
  • Use strong passwords and avoid common usernames.

If your site has been compromised, it's essential to remove any malware and secure your site against future attacks. For assistance, check out Malware Removal Services.

By following these steps, you can significantly reduce the risk of your WordPress site being compromised.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article