Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites.

“MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said.

“Requests are authentication by comparing a shared secret stored as plaintext in the WordPress database to the one provided by MalCare’s remote application.

“This can allow attackers to completely take over the site because they can impersonate MalCare’s remote application and perform any implemented action.”

These potential malicious actions include creating rogue admin users, uploading random files to the site, and installing and removing plugins.

Exploitation requires a pre-condition to be met, such as a site with a SQL injection vulnerability in a plugin, theme, or WordPress core, or a database compromised at the hosting level, or subject to another vulnerability that allows the attacker to read or update WordPress options.

“MalCare has received the full details of this vulnerability three months before this public release, and despite us offering (free) help, they subtly dismissed it because ‘supposedly’ this is the industry standard for API authentication,” Alkan said.

“Furthermore, concerns were raised, because the vulnerability requires a pre-condition that on its own, would be a vulnerability.”

Two days after Snicco published the security advisory with the proof of concept, MalCare pushed a patch in version 5.16 on July 8, 2023, along with a notice on the plugin’s blog:

In the rare situation, where a site has a pre-existing, high severity SQL injection vulnerability, an attacker might be able to read the MalCare key. To address such issues, we are further strengthening our authentication systems.

Authentication is a critical system and any improvements must be done in a careful manner. We have reviewed various plugins and best practices in our ecosystem to come up with our solution.

In light of the current public discourse, we are expediting the update of our plugin. We will initiate a rollout by EOD.

MalCare reports that its users have seen no evidence of the vulnerability being exploited.

Snicco noted that the same vulnerability also exists in WPRemote (20k installs) and Blogvault (100k installs) plugins, as they share the same code. Users of either of these plugins or the MalCare plugin should update to the latest versions as soon as possible now that the vulnerability advisory and proof of concept have been published.