CVE-2024-10938 Overview
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. These files contain directives designed to prevent the execution of certain scripts while explicitly allowing the execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a WordPress site and potentially enable attackers to execute malicious code.
Critical Impact
This vulnerability represents a supply chain compromise where a WordPress payment plugin has been trojanized with malicious configuration files that could allow execution of malicious PHP code while blocking legitimate security scripts.
Affected Products
- OVRI Payment plugin for WordPress version 1.7.0
- WordPress sites using the moneytigo plugin version 1.7.0
- Apache-based web servers hosting affected WordPress installations
Discovery Timeline
- 2026-02-27 - CVE CVE-2024-10938 published to NVD
- 2026-02-27 - Last updated in NVD database
Technical Details for CVE-2024-10938
Vulnerability Analysis
This vulnerability falls under CWE-506 (Embedded Malicious Code), indicating that the plugin itself has been compromised to include malicious functionality. The .htaccess files within the OVRI Payment plugin (also known as moneytigo) have been specifically crafted to manipulate Apache's request handling in a way that benefits attackers.
The malicious .htaccess files are positioned in two locations within the plugin: the root plugin directory and the assets subdirectory. These configuration files use Apache directives to selectively control which PHP files can be executed, creating an environment where legitimate security controls are bypassed while known malicious scripts are permitted to run.
Root Cause
The root cause of this vulnerability is the inclusion of embedded malicious code within a publicly distributed WordPress plugin. This represents a supply chain attack where the plugin's distribution has been compromised to include .htaccess files with directives that:
- Prevent execution of legitimate security scanning or monitoring scripts
- Explicitly whitelist known malicious PHP files for execution
- Potentially disrupt normal site functionality if the files propagate outside the plugin directory
Attack Vector
The attack vector is network-based and does not require authentication. An attacker who has managed to inject malicious PHP files into the server can leverage these .htaccess configurations to ensure their malicious code executes without interference from security tools. The vulnerability becomes particularly dangerous when:
- The plugin is installed on a WordPress site
- The malicious .htaccess files are copied or moved to parent directories
- Attackers combine this with other file upload or injection vulnerabilities
The malicious .htaccess files manipulate Apache's FilesMatch and similar directives to control script execution permissions. Detailed analysis of the actual malicious configurations can be found in the WordPress Plugin .htaccess File and the Plugin Assets .htaccess File.
Detection Methods for CVE-2024-10938
Indicators of Compromise
- Presence of .htaccess files from the moneytigo/OVRI Payment plugin version 1.7.0 in unexpected directories
- Apache configuration rules that whitelist specific PHP filenames associated with known malware
- Unexpected modifications to existing .htaccess files in WordPress directories
- Execution of PHP scripts that should normally be blocked by security plugins
Detection Strategies
- Perform file integrity monitoring on all .htaccess files across the WordPress installation
- Review Apache access logs for requests to unusual PHP filenames that may be whitelisted by malicious directives
- Utilize WordPress security plugins that scan for known malicious file patterns
- Compare installed plugin files against known-good checksums from the WordPress.org repository
Monitoring Recommendations
- Implement real-time file system monitoring for changes to .htaccess files
- Configure alerts for any new .htaccess file creation outside of expected WordPress directories
- Monitor for network connections from the web server to known malicious command and control infrastructure
- Review web application firewall logs for blocked requests that may indicate exploitation attempts
How to Mitigate CVE-2024-10938
Immediate Actions Required
- Remove the OVRI Payment (moneytigo) plugin version 1.7.0 immediately from all WordPress installations
- Search for and remove any .htaccess files that may have been copied from the malicious plugin
- Perform a complete malware scan of the affected WordPress installation
- Review server logs for evidence of malicious PHP file execution
Patch Information
Site administrators should immediately uninstall the affected plugin version. Check the Wordfence Vulnerability Report for updated guidance on remediation and any clean versions that may be released.
Workarounds
- Disable the OVRI Payment plugin until a verified clean version is available
- Implement strict file upload controls to prevent placement of malicious PHP files
- Configure web application firewall rules to block execution of unusual PHP filenames
- Use Apache configuration to override any malicious .htaccess directives at the server level
# Configuration example
# Add to Apache server configuration to prevent .htaccess overrides in plugin directories
<Directory "/var/www/html/wp-content/plugins/moneytigo">
AllowOverride None
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
</Directory>
# Search for suspicious .htaccess files across WordPress installation
find /var/www/html -name ".htaccess" -exec grep -l "FilesMatch" {} \; -exec cat {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
