snicco

Taking the pain out of enterprise WordPress development

WordPress Broken Authentication vulnerabilities (10)

  • Unauthenticated Remote Code Execution – Bricks <= 1.9.6

    Affected plugin Bricks Builder Active installs Commercial ~ 25000 Vulnerable version <= 1.9.6 Audited version 1.9.6 Fully patched version 1.9.6.1 Recommended remediation Upgrade immediately to version to 1.9.6.1 or higher Description Bricks <= 1.9.6 is vulnerable to unauthenticated remote code execution (RCE) which means that anybody can run arbitrary commands and take over the site/server.…

  • SSO Enforcement Bypass – WP SAML Auth 2.1.3

    Affected plugin WP SAML Auth Active installs 5,000+ Vulnerable version <= 2.1.3 Audited version 2.1.3 Fully patched version 2.1.4 Recommended remediation Upgrade the plugin to 2.1.4 Description The WP SAML Auth plugin allows enforcing that all users must log in via the configured SAML IDP rather than the standard WordPress login. This can be bypassed…

  • Total site takeover in combination with read-only SQLi – (WordFence <= 7.6.1)

    An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.

  • Total site takeover in combination with read-only SQLi – (Shield Security <= 16.1.3)

    Affected plugin Shield Security Active installs 60,000+ Vulnerable version <= 16.1.3 Audited version 16.1..1 Fully patched version 16.1.4 Recommended remediation Immediately upgrade to version 16.1.4 or higher Description An attacker can log in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or…

  • Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)

    The plugin’s IP allowlist for the login page does not work on NGINX servers.

  • Total site takeover through broken 2FA in combination with SQLi – (WPMU Defender <= 3.3.0)

    An attacker can compromise any site using the plugin’s 2FA functionality by logging in as any user with two-factor authentication configured. The precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Furthermore, the attacker needs to obtain a valid WordPress nonce which he can…

  • Site takeover through broken 2FA in combination with SQLi – (miniOrange <= 5.5.82)

    An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.

  • Site takeover through stolen API credentials in combination with SQLi – (miniOrange <= 5.5.82)

    Affected plugin miniOrange Active installs 20,000+ Vulnerable version <= 5.5.82 Audited version 5.5.82 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses remote APIs in almost all authentication-related contexts. In addition, the plugin authenticates itself using information stored exclusively as plaintext in the database. An attacker, armed with a read-only…

  • Broken authentication leads to total site takeover in combination with read-only SQLi – (Two-Factor <= 0.7.1)

    An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.