CVE-2022-0875

Published: Jun 27, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

Affected (1)

Products: Miniorange: Google Authenticator

Miniorange

1 product

Google Authenticator

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Miniorange Google Authenticator	Before 1.0.5

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.