CVE-2024-10938 PUBLISHED

OVRI Payment 1.7.0 - Malicious .htaccess directive

Assigner: Wordfence
Reserved: 06.11.2024 Published: 27.02.2026 Updated: 27.02.2026

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	moneytigo
Product	OVRI Payment
Versions	Default: unaffected Version 1.7.0 is affected

Credits

Marco Wotschka finder

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2b45674c-8446-44eb-a45a-15dab02c89cf?source=cve
https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/.htaccess
https://plugins.trac.wordpress.org/browser/moneytigo/tags/1.7.0/assets/.htaccess

Problem Types

CWE-506 Embedded Malicious Code CWE