WordPress Insufficient Cryptography vulnerabilities (10)
-
Possible site takeover through stolen API credentials in combination with SQLi – (MalCare <= 5.09)
Affected plugin MalCare Active installs 300,000+ Vulnerable version <= 5.0.9 Audited version 4.97 / 5.0.9 Fully patched version 5.16 Recommended remediation Removal of the plugin Description MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites. Requests are authentication by comparing a shared secret stored as plaintext in the…
-
Possible site takeover through stolen API credentials in combination with SQLi – (BlogVault <= 5.09)
Affected plugin BlogVault Active installs 100,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and Blogout share 99% of their codebase. Proof of concept Refer to this POC and use “bvbackup” in step 4.…
-
Possible site takeover through stolen API credentials in combination with SQLi – (WPRemote <= 5.09)
Affected plugin WPRemote Active installs 20,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and WPRemote share 99% of their codebase. Proof of concept Refer to this POC and use “wpremote” in step 4.…
-
Possible site takeover through stolen API credentials in combination with SQLi – (WPUmbrella <= 2.10.0)
WPUmbrella’s remote application uses a local companion plugin to perform its functionality. The communication between the remote WPUmbrella application and the WordPress site is secured using a shared secret stored as plaintext in the WordPress options table. An attacker that can read the plaintext value can fully impersonate WPUmbrella’s remote application and perform all actions,…
-
Encryption key is stored in version control – (WPMU Defender – 3.3.2)
Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.2 Audited version 3.3.2 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and…
-
Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence <= 7.6.2)
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Compromise of 2FA secrets through read-only SQLi – (Shield Security <= 16.1.6)
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Compromise of 2FA secrets and backup codes through read-only SQLi – (WordFence Login Security <= 1.0.11)
The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Broken encryption allows 2FA bypass – (All in One WP Security <= 5.0.7)
The plugin employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks under the condition that the target website was vulnerable at any point in time to one of the never-ending read-only SQL-Injections in any plugin, theme, or WordPress core.
-
Compromise of 2FA secrets and emergency codes through read-only SQLi – (WPMU Defender <= 3.3.0)
Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin stores users’ emergency backup codes and TOTP secrets as plaintext in the database.An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to…