| Affected plugin | Two-Factor (Plugin contributors) |
| Active installs | 40.000+ |
| Vulnerable version | <= 0.7.2 |
| Audited version | 0.7.1 |
| Fully patched version | PENDING |
| Recommended remediation | PENDING |
Description
The plugin stores users’ TOTP secret keys as plaintext in the database. An attacker that can obtain one of the seemingly never-ending read-only SQL-Injections will be able to bypass all 2FA checks for all users indefinitely.
Proof of concept
The plugin stores users’ TOTP secrets as plaintext in the “wp_usermeta” table.
public function set_user_totp_key( $user_id, $key ) {
return update_user_meta( $user_id, self::SECRET_META_KEY, $key );
}An attacker can abuse a read-only SQLi to compromise all two-factor checks for all users by getting the following SQL query to execute:
SELECT meta_value, meta_key FROM wp_usermeta WHERE meta_key = '_two_factor_totp_key'Timeline
| Vendor contacted | September 07, 2022 |
| First Response | September 07, 2022 |
| Fully patched at | PENDING |
| Publicly disclosed | April 24, 2023 |
Leave a Reply