WordPress Sensitive Data Exposure vulnerabilities (10)


  • Encryption key is stored in version control – (WPMU Defender – 3.3.2)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.2 Audited version 3.3.2 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and […]

  • TOTP Secrets stored as plaintext in a world-readable file – (WPMU Defender 3.3.1)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.1 Audited version 3.3.1 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server […]

  • Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can abuse […]

  • Time-Based-Side-Channel-Attack on 2FA secrets – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can […]

  • Site compromise through leaked wp-config – (miniOrange <= 5.5.82)

    The plugin stores filesystem and database backups as unencrypted .zip archives in the wp-uploads directory. The only protection is a .htaccess file which is ignored by NGINX. Since most web servers are configured to allow access to zip files in the wp-uploads directory, an attacker can download arbitrary backups and take over the entire site by stealing the wp-config salts.

  • Time-Based-Side-Channel-Attack on 2FA secrets – (Google Authenticator <= 0.54)

    The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

  • Time-Based-Side-Channel-Attack on secrets – (Two-Factor <= 0.7.1)

    The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

  • Exposure of secrets through insecure HTTP cookies – (SiteGround Security <= 1.3.0)

    The plugin uses HTTP cookies to store secret information. However, by using PHP’s “setcookie” function incorrectly, the plugin allows an attacker to read these cookies with JavaScript (XSS) or steal them over insecure HTTP connections (Man-in-the-middle-attack).

  • Time-based-side-channel-attacks on secrets – (SiteGround Security <= 1.3.0)

    The plugin uses string comparison operators that don’t mitigate time-based attacks in several places where secrets are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

  • Exposure of encryption secrets in world-readable .txt file (WP 2FA <= 2.3.0)

    The plugin will, under certain conditions, log all users’ 2FA secrets to a world-readable .txt file in the “wp-uploads” directory.