WordPress Broken Authentication vulnerabilities (10)
-
Total site takeover in combination with read-only SQLi – (WordFence <= 7.6.1)
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.
-
Total site takeover in combination with read-only SQLi – (Shield Security <= 16.1.3)
Affected plugin Shield Security Active installs 60,000+ Vulnerable version <= 16.1.3 Audited version 16.1..1 Fully patched version 16.1.4 Recommended remediation Immediately upgrade to version 16.1.4 or higher Description An attacker can log in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or […]
-
Total site takeover in combination with read-only SQLi – (WordFence Login Security <= 1.0.10)
An attacker can compromise any site using WordFence’s 2FA functionality by logging in as any user with two-factor authentication configured. The only precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities. Neither the target user’s primary credentials are required nor any form of authentication.
-
Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)
The plugin’s IP allowlist for the login page does not work on NGINX servers.
-
Total site takeover through broken 2FA in combination with SQLi – (WPMU Defender <= 3.3.0)
An attacker can compromise any site using the plugin’s 2FA functionality by logging in as any user with two-factor authentication configured.
The precondition is that any plugin, any theme, or WordPress Core has one of the seemingly never-ending real-only SQL Injection vulnerabilities.
Furthermore, the attacker needs to obtain a valid WordPress nonce which he can achieve by being a subscriber or higher on the target site (WooCommerce, LMS) or through a leaked nonce salt.
-
Site takeover through broken 2FA in combination with SQLi – (miniOrange <= 5.5.82)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
-
Site takeover through stolen API credentials in combination with SQLi – (miniOrange <= 5.5.82)
Affected plugin miniOrange Active installs 20,000+ Vulnerable version <= 5.5.82 Audited version 5.5.82 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses remote APIs in almost all authentication-related contexts. In addition, the plugin authenticates itself using information stored exclusively as plaintext in the database. An attacker, armed with a read-only […]
-
Broken authentication leads to total site takeover in combination with read-only SQLi – (Two-Factor <= 0.7.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
-
Total site takeover through broken 2FA authentication in combination with SQLi – (SiteGround Security <= 1.3.0)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities. An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials.
-
Site takeover by stealing login tokens – (Magic Login Pro < 1.4.1)
The plugin stores login tokens as plain text in the “wp_usermeta” table, which is equally as dangerous as storing passwords in plaintext since anybody with access to the login token can authenticate himself as the target user.