Security vulnerabilities in Two-Factor (Plugin Contributors) (3)
Broken authentication leads to total site takeover in combination with read-only SQLi – (Two-Factor <= 0.7.1)
An attacker can take over the entire site by logging in as any user with two-factor authentication enabled without knowing the user’s primary credentials. The only precondition is that any plugin, theme, or WordPress core has one of the endless read-only SQL-injection vulnerabilities.
Compromise of 2FA secrets codes possible in combination with SQLi – (Two-Factor <= 0.7.2)
The plugin stores users’ TOTP secret keys and emergency backup codes as plain text in the database. An attacker that is able to obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Time-Based-Side-Channel-Attack on secrets – (Two-Factor <= 0.7.1)
The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.