Cross Site Request Forgery in Two-Factor Authentication Plugin for WordPress
CVE-2018-20231

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Two-factor-authentication
Vendor
CVE Published:
19 December 2018

Summary

A vulnerability was identified in the Two-Factor Authentication plugin for WordPress, allowing remote attackers to exploit a Cross Site Request Forgery (CSRF) flaw. This weakness arises from the absence of effective nonce validation in the plugin prior to version 1.3.13. By leveraging this vulnerability, attackers can disable Two-Factor Authentication for users, undermining the security provided by this essential feature. It is crucial for users to update to the latest version to safeguard their accounts against unauthorized access.

References

https://www.privacy-wise.com/two-factor-authentication-cr...
x_refsource_MISC
https://wpvulndb.com/vulnerabilities/9187
x_refsource_MISC
https://wordpress.org/plugins/two-factor-authentication/#...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.