CVE-2022-0229

Published: Mar 21, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.

Affected (1)

Products: Miniorange: Google Authenticator

1 product

Google Authenticator

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Miniorange Google Authenticator	Before 5.5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.