Authorization Bypass in miniOrange Google Authenticator Plugin for WordPress
CVE-2022-4943

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Miniorange's Google Authenticator – WordPress Two Factor Authentication – 2fa , Two Factor, Otp Sms And Email | Passwordless Login
Vendor: CVE Published:; 20 October 2023

Summary

The miniOrange Google Authenticator plugin for WordPress contains a vulnerability that allows unauthorized users to bypass authentication and alter plugin settings. This is due to a missing capability check in versions up to and including 5.6.5, enabling unauthenticated attackers to essentially hijack the plugin's configurations. Consequently, this poses a significant risk to users relying on the plugin for secure two-factor authentication, as it can lead to unauthorized access and manipulation of critical security settings.

Affected Version(s)

miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login * <= 5.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 20, 2023
Vulnerability Reserved
Apr 19, 2023

Credit

Ramuel Gall