WordPress Malware Scanner Flaw

The Malcure Malware Scanner plugin for WordPress has recently come under scrutiny after security experts discovered a significant vulnerability. Rated at a severity level of 8.1, this issue is considered high risk, and as of now, no official patch has been released to address it.

Following this discovery, the plugin has been temporarily removed from the WordPress repository as a precautionary measure. This step is intended to prevent further installations and to protect website owners who might unknowingly put their sites at risk.

The advisory about this vulnerability was published by Wordfence, a well-known name in WordPress security. According to their report, the vulnerability could potentially be exploited by malicious actors, although specific technical details have not been widely shared to avoid encouraging abuse.

Malcure Malware Scanner is designed to help website owners detect malware and keep their WordPress sites secure. However, this recent development highlights the ongoing challenge faced by plugin developers in keeping pace with emerging threats and vulnerabilities.

At this stage, website administrators using the Malcure plugin are strongly advised to remain alert for updates or patches from the plugin’s developers. In the meantime, it may be wise to explore alternative security plugins or additional protective measures to maintain website safety.

This situation also serves as a reminder of the importance of regularly reviewing and updating all plugins to reduce the risk of potential security breaches. Staying informed about security advisories and following best practices is key to safeguarding any website from evolving threats.

Malcure Malware Scanner Vulnerability

The Malcure Malware Scanner plugin, which is currently active on over 10,000 WordPress sites, has been found to contain a vulnerability. Specifically, it is exposed to “Arbitrary File Deletion” due to a missing capability check within the wpmr_delete_file() function.

Although the flaw does require an attacker to be authenticated, it doesn’t make exploitation significantly harder. This is because only a subscriber-level account is needed – the lowest possible user role in WordPress.

By default, WordPress sites that have user registration enabled will allow new users to register as subscribers. This means that in practice, the vulnerability could still pose a real risk if left unpatched.

Wordfence has highlighted that this flaw allows authenticated attackers with at least Subscriber-level access to delete any file on the site. Worryingly, this could even open the door to remote code execution if advanced mode is turned on.

At present, there is no patch available to fix this issue. As a precaution, users are advised to uninstall the plugin to reduce the risk of an attack.

Currently, the Malcure Malware Scanner plugin has also been removed from the WordPress plugin repository, with a notice stating it is under review.

Dropping Security Support

WordPress has announced it will no longer offer security support for versions 4.1 through to 4.6. According to official WordPress statistics, these older versions are currently used by only around 0.9% of websites.

In a statement shared on the release page, the team explained:

“Dropping security updates for WordPress versions 4.1 through 4.6
This is not directly related to the 6.8.2 maintenance release, but branches 4.1 to 4.6 had their final release today. These branches won’t receive any security update anymore.”

Further clarification was provided on another section of the WordPress site. It noted that from July 2025 onwards, the WordPress Security Team will stop issuing security updates for these older versions.

These particular versions of WordPress were originally launched over nine years ago. Today, more than 99% of WordPress sites already run newer releases, meaning that the impact of this change is expected to be minimal.

Overall, this move highlights WordPress’s ongoing focus on maintaining and securing its more current software, while encouraging site owners still on older versions to update promptly to stay protected.