Security vulnerabilities in SiteGround Security (5)
-
Exposure of secrets through insecure HTTP cookies – (SiteGround Security <= 1.3.0)
The plugin uses HTTP cookies to store secret information. However, by using PHP’s “setcookie” function incorrectly, the plugin allows an attacker to read these cookies with JavaScript (XSS) or steal them over insecure HTTP connections (Man-in-the-middle-attack).
-
Compromise of 2FA secrets and backup codes possible in combination with SQLi – (SiteGround Security <= 1.3.0)
The plugin stores users’ TOTP secret keys and emergency backup codes as plain text in the database. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
-
Total site takeover through broken 2FA authentication in combination with SQLi – (SiteGround Security <= 1.3.0)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities. An attacker can take over the entire site by logging in as…
-
Time-based-side-channel-attacks on secrets – (SiteGround Security <= 1.3.0)
The plugin uses string comparison operators that don’t mitigate time-based attacks in several places where secrets are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.
-
DOS and allowlist bypass through IP spoofing – (SiteGround Security <= 1.3.0 )
The plugin is vulnerable to IP spoofing which an attacker can abuse the perform a DOS attack on the target site by preventing legitimate users, or the site’s reverse proxy from making requests to the wp-login endpoint. Alternatively, an attacker can spoof his IP address to bypass all rate-limit restrictions.