Anti-Malware Security and Brute-Force Firewall < 4.23.56 – Unauthenticated Remote Code Execution | CVE 2024-22144 | Plugin Vulnerabilities

Description

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.21.96 due to weak nonce generation combined with missing authorization. This makes it possible for unauthenticated attackers to brute force a valid nonce that can be used to add malware rule and execute code on the server.

Affects Plugins

Fixed in 4.23.56

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e81331-0b39-4490-8624-38078b3d5420

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

f6ece1fa-9075-4392-9e10-ce83a20e6ed6

Timeline

Publicly Published

2024-03-12 (about 2 years ago)

Added

2024-05-08 (about 2 years ago)

Last Updated

2024-05-08 (about 2 years ago)

Other

Published

Title

Published

2026-03-23

Title

User Registration & Membership < 5.1.3 - Unauthenticated Remote Code Execution

Published

2026-02-25

Title

Advanced Woo Labels < 2.37 - Authenticated (Admin+) Remote Code Execution

Published

2025-02-28

Title

Authors List < 2.0.6.1 - Unauthenticated Arbitrary Shortcode Execution

Published

2026-03-06

Title

Easy PHP Settings < 1.0.5 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting

Published

2025-09-26

Title

YayCurrency < 3.3.2 - Admin+ Remote Code Execution