Affected plugin | iThemes Security |
Active installs | 1+ million |
Vulnerable version | <= 8.1.2 |
Audited version | 8.1.2 |
Fully patched version | – |
Recommended remediation | Removal of the plugin |
Description
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
Timeline
Vendor contacted | September 07, 2022 |
First Response (from a developer) | – |
Fully patched at | – |
Publicly disclosed | April 24, 2023 |
Miscellaneous
- The vendor made us send the POC through third-party chat software to support staff despite asking explicitly for a security@ email.
Leave a Reply