CVE-2024-10938

MEDIUM

OVRI Payment 1.7.0 - Malicious File Execution

Title source: llm

Description

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.

References (3)

[Product] https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/.htaccess

[Product] https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/assets/.htaccess

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/2b45674c-8446-44eb-a45a-15dab02c89cf?source=cve

Scores

CVSS v3 6.5

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-506

Status published

Published Feb 27, 2026

Tracked Since Feb 27, 2026