CVE-2024-10938

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

27/02/2026

Last modified:

27/02/2026

Description

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin&#39;s directory, they may interfere with the proper function of a site.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): Low

Base Score 3.x

6.50

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/.htaccess
https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/assets/.htaccess
https://www.wordfence.com/threat-intel/vulnerabilities/id/2b45674c-8446-44eb-a45a-15dab02c89cf?source=cve